[GHSA-mwwc-3jv2-62j3] AdGuardHome vulnerable to Cross-Site Request Forgery

[andrewpollock]

Updates

• Affected products

Comments
Correct version for SEMVER compliance

[shelbyc]

👋 Hi @andrewpollock ! The reason that we have the bottom of the vulnerable version range set to >= 0.95 instead of >= 0.95.0 is that the maintainers of https://github.com/AdguardTeam/AdGuardHome appear to have not started using 0.9x.0 until 0.97.0. There is no 0.95.0 version, just 0.95 at https://github.com/AdguardTeam/AdGuardHome/tree/v0.95 and 0.95.hotfix at https://github.com/AdguardTeam/AdGuardHome/tree/v0.95-hotfix.

However, I want to ask you about a different change that would at a SEMVER-compatible lower bound. I dug through the history of control_filtering.go, the file that would become controlfiltering.go, the file called out as vulnerable in the CVE references. I found that the commit that created control_filtering.go wasn't committed until 21 August 2019. The commit itself is tagged with 0.99.0, but the commit date of 21 August 2019 comes just before the release of 0.98.1 on 22 August 2019 (see versions on pkg.go.dev). What do you think about changing the lower bound to >= 0.98.1?

[andrewpollock]

Hey @shelbyc 👋

Oh, interesting. I hadn't properly appreciated until now that this record is published with an ECOSYSTEM range type (so this version is fine as is) but OSV.dev is coercing all records with ranges for the Go ecosystem to SEMVER, which is where this becomes problematic.

Not your problem 😸

Sorry for the noise!