CVE-2024-34361
Published: 05 July 2024
Summary
CVE-2024-34361 is a high-severity SSRF (CWE-918) vulnerability in Pi-Hole Pi-Hole. Its CVSS base score is 8.5 (High).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Pi-hole versions prior to 5.18.3 contain a server-side request forgery vulnerability in the gravity_DownloadBlocklistFromUrl() function. The affected component is the core DNS sinkhole software that blocks unwanted content for client devices without requiring local agents. The flaw is tracked as CWE-918 and carries a CVSS 3.1 score of 8.5.
An authenticated user with low privileges can exploit the issue over the network to force the server to issue internal requests. Under certain conditions this leads to remote command execution, granting the attacker full control over confidentiality, integrity, and availability of the Pi-hole instance.
The official GitHub security advisory GHSA-jg6g-rrj6-xfg6 and the referenced commit 2c497a9a3ea099079bbcd1eb21725b0ed54b529d state that version 5.18.3 contains the fix. The EPSS score has remained flat at 0.5818 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34734
Vulnerability details
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on…
more
some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.