Vulnerability Description
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code, list directories, and overwrite sensitive files. The issue lies in the fact that one of the periods is not escaped, allowing any character to be used in its place. A patch for this vulnerability was released in version 5.5.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pi-Hole | Pi-Hole | < 5.5.1 |
Related Weaknesses (CWE)
References
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.5.1Release NotesThird Party Advisory
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-5cm9-6p3m-v259ExploitThird Party Advisory
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.5.1Release NotesThird Party Advisory
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-5cm9-6p3m-v259ExploitThird Party Advisory
FAQ
What is CVE-2021-32706?
CVE-2021-32706 is a vulnerability with a CVSS score of 7.6 (HIGH). Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match f...
How severe is CVE-2021-32706?
CVE-2021-32706 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32706?
Check the references section above for vendor advisories and patch information. Affected products include: Pi-Hole Pi-Hole.