NVD Vulnerability Detail

CVE-2020-8816

Summary	Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
Publication Date	May 30, 2020, 4:15 a.m.
Registration Date	Jan. 26, 2021, 12:02 p.m.
Last Update	Nov. 21, 2024, 2:39 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:pi-hole:pi-hole::::::::			4.3.2

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/157861/Pi-Hole-4.3.2-DHCP-MAC-OS-Command-Execution.html	Third Party Advisory VDB Entry
2	http://packetstormsecurity.com/files/157861/Pi-Hole-4.3.2-DHCP-MAC-OS-Command-Execution.html	Third Party Advisory VDB Entry
3	http://packetstormsecurity.com/files/158737/Pi-hole-4.3.2-Remote-Code-Execution.html	Third Party Advisory VDB Entry
4	http://packetstormsecurity.com/files/158737/Pi-hole-4.3.2-Remote-Code-Execution.html	Third Party Advisory VDB Entry
5	https://github.com/pi-hole/AdminLTE/commits/master	Patch Third Party Advisory
6	https://github.com/pi-hole/AdminLTE/commits/master	Patch Third Party Advisory
7	https://github.com/pi-hole/AdminLTE/pull/1165	Patch Third Party Advisory
8	https://github.com/pi-hole/AdminLTE/pull/1165	Patch Third Party Advisory
9	https://github.com/pi-hole/AdminLTE/releases/tag/v4.3.3	Release Notes Third Party Advisory
10	https://github.com/pi-hole/AdminLTE/releases/tag/v4.3.3	Release Notes Third Party Advisory
11	https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/	Exploit Third Party Advisory
12	https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/	Exploit Third Party Advisory
13	https://twitter.com/Nate_Kappa/status/1243900213665902592?s=20	Press/Media Coverage
14	https://twitter.com/Nate_Kappa/status/1243900213665902592?s=20	Press/Media Coverage

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-78	OSコマンド・インジェクション	https://cwe.mitre.org/data/definitions/78.html

JVN Vulnerability Information

Pi-hole Web における脆弱性

Title	Pi-hole Web における脆弱性
Summary	Pi-hole Web (別名 AdminLTE) には、不特定の脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 19, 2020, midnight
Registration Date	June 24, 2020, 1:55 p.m.
Last Update	June 24, 2020, 1:55 p.m.

Affected System

Pi-hole

Pi-hole 4.3.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-8816	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8816
National Vulnerability Database (NVD)
2	CVE-2020-8816	https://nvd.nist.gov/vuln/detail/CVE-2020-8816

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	Name	URL
GitHub
1	AdminLTE/commits/master	https://github.com/pi-hole/AdminLTE/commits/master
2	Fix potential code injection on MAC address validator #1165	https://github.com/pi-hole/AdminLTE/pull/1165
3	Pi-hole Web version 4.3.3	https://github.com/pi-hole/AdminLTE/releases/tag/v4.3.3

Change Log

No	Changed Details	Date of change
1	[2020年06月24日] 掲載	June 24, 2020, 1:55 p.m.