6.1 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): HIGH
- Availability impact (A): LOW
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package swiftlint
- @LeSuisse removed package python312Packages.softlayer
- @LeSuisse removed package python313Packages.softlayer
- @LeSuisse removed package python314Packages.softlayer
- @LeSuisse removed package chickenPackages_5.chickenEggs.ftl
- @LeSuisse accepted
- @LeSuisse published on GitHub
Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.
References
-
https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq x_refsource_CONFIRM
Affected products
- ==>= 6.0, < 6.6
Matching in nixpkgs
Ignored packages (5)
pkgs.swiftlint
A tool to enforce Swift style and conventions
pkgs.python312Packages.softlayer
Python libraries that assist in calling the SoftLayer API
pkgs.python313Packages.softlayer
Python libraries that assist in calling the SoftLayer API
pkgs.python314Packages.softlayer
Python libraries that assist in calling the SoftLayer API
Package maintainers
-
@averyvigolo Avery Vigolo <nixpkgs@averyv.me>