CVE-2020-11108

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.
Configurations

Configuration 1 (hide)

cpe:2.3:a:pi-hole:pi-hole:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-05-11 15:15

Updated : 2024-02-28 17:47


NVD link : CVE-2020-11108

Mitre link : CVE-2020-11108

CVE.ORG link : CVE-2020-11108


JSON object : View

Products Affected

pi-hole

  • pi-hole
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type