← back
CVE-2020-11108

CVE-2020-11108

EPSS 78.3%
Vexday Risk Score
62High priority
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Popular PoC on GitHub (27 stars) — exploitation code widely available.
CVSS EPSS 78.3%KEV nãoPoC públicaNuclei Metasploit simPatch
Lifecycle
04 Apr 2020Public PoC
10 May 2020Metasploit module available
11 May 2020Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.
Affected products
n/a · n/a
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.