V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2021-32706
CVE
High

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web in…

CVSS
8.8
High
EPSS
0.60
p99
Published
2021-01-01
Updated
2021-01-01
Description

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code, list directories, and overwrite sensitive files. The issue lies in the fact that one of the periods is not escaped, allowing any character to be used in its place. A patch for this vulnerability was released in version 5.5.1.

Tags · CWE
CWE-94
CAPEC-35
CAPEC-77
CAPEC-242
Affected products
Pi-hole < 5.5.1
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Timeline
2021-01-01
Published
2021-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: L
Low (L)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.602 · p99
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
└ via CAPEC-35 · CWE-94
└ via CAPEC-35 · CWE-94
└ via CAPEC-35 · CWE-94
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
ProductVendorStatus
pi-hole*Tracked
Source databases
CVE