Pi-hole Core v5.18 released to fix an Authenticated Arbitrary File Read with root privileges vulnerability
A vulnerability was recently discovered in Pi-hole’s gravity script that would allow for any system file to be arbitrarily read and presented to an authenticated user on the web interface.
This release mitigates the vulnerability by limiting gravity’s ability to read local file’s to only those that are explicitly readable by anyone on the system.
More information can be found here: https://github.com/pi-hole/pi-hole/security/advisories/GHSA-95g6-7q26-mp9x
Many thanks to Github User @T0X1Cx for their responsible (and detailed!) disclosure of this vulnerability.
As a reminder, potential issues can be reported to us either through Github’s vulnerability reporting tools or by emailing us on disclosure@pi-hole.net
What’s Changed
- Drop Fedora 36 and add Fedora 39 to the test suite by @yubiuser in #5568
- [Vulnerability Fix] Only use local files (file://) when they have explicit permissions a+r by @DL6ER 9dd138b
Full Changelog: v5.17.3...v5.18