CVE-2020-8816
CVE-2020-8816
In short
Pi-hole Web v4.3.2 allows an administrator using the dashboard to run arbitrary code on the server by creating a specially crafted DHCP static lease entry. This is critical because administrators can compromise the entire system.
Technical detail
CWE-78 (OS Command Injection) in Pi-hole Web v4.3.2 allows authenticated dashboard users to execute arbitrary OS commands through unsanitized input in DHCP static lease configuration. The vulnerability requires administrative privileges to access the dashboard interface and craft malicious lease parameters that are passed to system commands without proper escaping.
Summary generated and translated by AI from the official description.
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:H/S:C/UI:N
Affected products
n/a · n/apublic PoCs found — 7
githubgithub.com/cybervaca/CVE-2020-8816★ 11githubgithub.com/AndreyRainchik/CVE-2020-8816★ 10githubgithub.com/team0se7en/CVE-2020-8816★ 6githubgithub.com/martinsohn/CVE-2020-8816★ 1cve_referencepacketstormsecurity.com/files/157861/Pi-Hole-4.3.2-DHCP-MAC-OS-Command-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/158737/Pi-hole-4.3.2-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48727unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/157861/Pi-Hole-4.3.2-DHCP-MAC-OS-Command-Execution.htmlhttp://packetstormsecurity.com/files/158737/Pi-hole-4.3.2-Remote-Code-Execution.htmlhttps://github.com/pi-hole/AdminLTE/commits/masterhttps://github.com/pi-hole/AdminLTE/pull/1165https://github.com/pi-hole/AdminLTE/releases/tag/v4.3.3https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/https://twitter.com/Nate_Kappa/status/1243900213665902592?s=20https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8816