Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-mwwc-3jv2-62j3] AdGuardHome vulnerable to Cross-Site Request Forgery #5001

Conversation

andrewpollock
Copy link

Updates

  • Affected products

Comments
Correct version for SEMVER compliance

@github-actions github-actions bot changed the base branch from main to andrewpollock/advisory-improvement-5001 November 11, 2024 06:12
@shelbyc
Copy link
Contributor

shelbyc commented Nov 12, 2024

👋 Hi @andrewpollock ! The reason that we have the bottom of the vulnerable version range set to >= 0.95 instead of >= 0.95.0 is that the maintainers of https://github.com/AdguardTeam/AdGuardHome appear to have not started using 0.9x.0 until 0.97.0. There is no 0.95.0 version, just 0.95 at https://github.com/AdguardTeam/AdGuardHome/tree/v0.95 and 0.95.hotfix at https://github.com/AdguardTeam/AdGuardHome/tree/v0.95-hotfix.

However, I want to ask you about a different change that would at a SEMVER-compatible lower bound. I dug through the history of control_filtering.go, the file that would become controlfiltering.go, the file called out as vulnerable in the CVE references. I found that the commit that created control_filtering.go wasn't committed until 21 August 2019. The commit itself is tagged with 0.99.0, but the commit date of 21 August 2019 comes just before the release of 0.98.1 on 22 August 2019 (see versions on pkg.go.dev). What do you think about changing the lower bound to >= 0.98.1?

@andrewpollock
Copy link
Author

Hey @shelbyc 👋

Oh, interesting. I hadn't properly appreciated until now that this record is published with an ECOSYSTEM range type (so this version is fine as is) but OSV.dev is coercing all records with ranges for the Go ecosystem to SEMVER, which is where this becomes problematic.

Not your problem 😸

Sorry for the noise!

@github-actions github-actions bot deleted the andrewpollock-GHSA-mwwc-3jv2-62j3 branch November 13, 2024 06:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants