CVE-2024-34361

Exploit

EPSS 58.18%
Veröffentlicht 05.07.2024 19:15:09
Zuletzt bearbeitet 02.10.2025 13:07:15
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pi-hole ≫ Pi-hole Version < 5.18.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	58.18%	0.981

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.5	1.8	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/pi-hole/pi-hole/commit/2c497a9a3ea099079bbcd1eb21725b0ed54b529d

Patch

https://github.com/pi-hole/pi-hole/security/advisories/GHSA-jg6g-rrj6-xfg6

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-34361

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-34361

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-34361

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-34361