Nixpkgs security tracker
6.1 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): HIGH
- Availability impact (A): LOW
Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.
References
-
https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq x_refsource_CONFIRM
Affected products
- ==>= 6.0, < 6.6
Matching in nixpkgs
pkgs.swiftlint
A tool to enforce Swift style and conventions
pkgs.pihole-ftl
Pi-hole FTL engine
pkgs.python312Packages.softlayer
Python libraries that assist in calling the SoftLayer API
pkgs.python313Packages.softlayer
Python libraries that assist in calling the SoftLayer API
pkgs.python314Packages.softlayer
Python libraries that assist in calling the SoftLayer API
Package maintainers
-
@onny Jonas Heinrich <onny@project-insanity.org>
-
@matteo-pacini Matteo Pacini <m@matteopacini.me>
-
@DimitarNestorov Dimitar Nestorov <nix@dimitarnestorov.com>
-
@averyvigolo Avery Vigolo <nixpkgs@averyv.me>