CVE-2020-14162

EUVD-2020-6319
An issue was discovered in Pi-Hole through 5.0. The local www-data user has sudo privileges to execute the pihole core script as root without a password, which could allow an attacker to obtain root access via shell metacharacters to this script's setdns command.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
Affected Products (NVD)
VendorProductVersion
pi-holepi-hole
𝑥
< 5.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://0xpanic.github.io/2020/07/21/Pihole.html
https://docs.pi-hole.net/core/pihole-command/
https://0xpanic.github.io/2020/07/21/Pihole.html
https://docs.pi-hole.net/core/pihole-command/