THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-34361

Pi-hole Blind Server-Side Request Forgery (SSRF) vulnerability can lead to Remote Code Execution (RCE)

AssignerGitHub_M
Reserved2024-05-02
Published2024-07-05
Updated2024-07-08

Description

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue.



HIGH: 8.6CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 5.18.3
affected

References

https://github.com/pi-hole/pi-hole/security/advisories/GHSA-jg6g-rrj6-xfg6

https://github.com/pi-hole/pi-hole/commit/2c497a9a3ea099079bbcd1eb21725b0ed54b529d

cve.org CVE-2024-34361

nvd.nist.gov CVE-2024-34361

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-34361
© Copyright 2024 THREATINT. Made in Cyprus with +