Cyber Resilience

CVE-2024-28247

HighPublic PoC

Published: 27 March 2024

Published
27 March 2024
Modified
10 October 2025
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0714 91.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28247 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Pi-Hole Pi-Hole. Its CVSS base score is 7.6 (High).

Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Pi-hole, the open-source DNS sinkhole used for network-wide ad blocking, contains an arbitrary file-read flaw in its adlist update handling. When an authenticated user supplies an adlist URL beginning with "file://", the update routine treats the target as a local file and echoes up to five non-domain lines from that file back to the administrative interface. Because the Pi-hole services run with elevated privileges, this exposure occurs with the permissions of the privileged process rather than the authenticated user's own rights.

An attacker who already possesses a valid Pi-hole administrative account can therefore add a crafted local-file adlist pointing to any readable path on the server (for example /etc/shadow, configuration files, or other sensitive data). The resulting output discloses the selected file contents, satisfying the confidentiality component of the reported CVSS 7.6 vector while also permitting limited integrity and availability impact through subsequent misuse of the obtained information.

The project addressed the issue in release 5.18; the fix is documented in GitHub security advisory GHSA-95g6-7q26-mp9x and the corresponding commit that prevents printing of non-domain lines during local-file updates. The associated EPSS score has remained flat at 0.0714 with no material post-disclosure increase.

EU & UK References

Vulnerability details

The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and…

more

because the application runs from behind, reading files is done as a privileged user.If the URL that is in the list of "Adslists" begins with "file*" it is understood that it is updating from a local file, on the other hand if it does not begin with "file*" depending on the state of the response it does one thing or another. The problem resides in the update through local files. When updating from a file which contains non-domain lines, 5 of the non-domain lines are printed on the screen, so if you provide it with any file on the server which contains non-domain lines it will print them on the screen. This vulnerability is fixed by 5.18.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pi-hole
pi-hole
≤ 5.18

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-269

Audit record review and analysis can detect unauthorized exposure or access to sensitive information.

addresses: CWE-269 CWE-200

Defines roles and responsibilities to ensure proper privilege management during configuration changes.

addresses: CWE-200 CWE-269

Hunting tracks data exfiltration or unauthorized disclosure of sensitive information as a key threat indicator.

addresses: CWE-269

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

addresses: CWE-200

Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.

addresses: CWE-200

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-269

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

References