CVE-2021-32706 HIGH

CVE-2021-32706: (Authenticated) Remote Code Execution Possible in Web Interface 5.5

Vendor Pi-Hole
Product AdminLTE
Weakness CWE-94 · Code injection
Published August 4, 2021
Last update August 3, 2024

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

What the vulnerability does

01Description

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code, list directories, and overwrite sensitive files. The issue lies in the fact that one of the periods is not escaped, allowing any character to be used in its place. A patch for this vulnerability was released in version 5.5.1.

Key dates

02Disclosure timeline

August 4, 2021 CVE published
August 3, 2024 Record updated