Lucene search

CVE-2021-29449

🗓️ 14 Apr 2021 22:12:15Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 89 Views🌐 WEB

Pi-hole 5.2.4 multiple privilege escalation vulnerabilities. GitHub security advisory

Reporter	Title	Published	Views	Family All 10
Metasploit	Pi-Hole Remove Commands Linux Priv Esc	30 May 202118:48	–	metasploit
Packet Storm	Pi-Hole Remove Commands Linux Privilege Escalation	30 Jul 202100:00	–	packetstorm
NVD	CVE-2021-29449	14 Apr 202122:15	–	nvd
OpenVAS	Pi-hole Core < 5.3 Multiple Privilege Escalation Vulnerabilities	16 Apr 202100:00	–	openvas
Cvelist	CVE-2021-29449 Multiple Privilege Escalation Vulnerabilities Pihole	14 Apr 202122:05	–	cvelist
AttackerKB	CVE-2021-29449	14 Apr 202100:00	–	attackerkb
0day.today	Pi-Hole Remove Commands Linux Privilege Escalation Exploit	30 Jul 202100:00	–	zdt
Prion	Privilege escalation	14 Apr 202122:15	–	prion
OSV	CVE-2021-29449	14 Apr 202122:15	–	osv
Rapid7 Blog	Metasploit Wrap-Up	30 Jul 202118:04	–	rapid7blog

Nvd

Vulners

Node

pi-hole pi-holeRange≤5.2.4

[
  {
    "product": "pi-hole",
    "vendor": "pi-hole",
    "versions": [
      {
        "status": "affected",
        "version": "<= 5.2.4"
      }
    ]
  }
]

Source	Link
github	www.github.com/pi-hole/pi-hole/security/advisories/GHSA-3597-244c-wrpj
compass-security	www.compass-security.com/fileadmin/Research/Advisories/2021-02_CSNC-2021-008_Pi-hole_Privilege_Escalation.txt
packetstormsecurity	www.packetstormsecurity.com/files/163715/Pi-Hole-Remove-Commands-Linux-Privilege-Escalation.html

Parameter	Position	Path	Description	CWE
removestaticdhcp	request body	/usr/local/bin/pihole	Pi-Hole versions 3.0 - 5.3 allow command line input to functions without proper validation, leading to privilege escalation when executed as the www-data user.	CWE-78, CWE-269
removecustomdns	request body	/usr/local/bin/pihole	Pi-Hole versions 3.0 - 5.3 allow command line input to functions without proper validation, leading to privilege escalation when executed as the www-data user.	CWE-78, CWE-269
removecustomcname	request body	/usr/local/bin/pihole	Pi-Hole versions 3.0 - 5.3 allow command line input to functions without proper validation, leading to privilege escalation when executed as the www-data user.	CWE-78, CWE-269

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

14 Apr 2021 22:15Current

7.5High risk

Vulners AI Score7.5

CVSS27.2

CVSS36.3 - 7.8

EPSS0.00655