Vulnerabilities in dependencies: CVE-2022-29583 and CVE-2021-3538

[Baptiste-Leterrier]

I am running version v0.107.6 on Docker

Issue Details

There are report of vulnerabilities in the Go packages used in Adguard Home

CVE-2022-29583
OS Command injection in github.com/kardianos/service
https://avd.aquasec.com/nvd/cve-2022-29583

CVE-2021-3538
satori/go.uuid: predictable UUIDs generated via insecure randomness
https://avd.aquasec.com/nvd/cve-2021-3538

Exploitation attempts were not conducted.

Test was made with trivy
Version: 0.28.1
Vulnerability DB:
Version: 2
UpdatedAt: 2022-06-02 18:05:59.080667081 +0000 UTC
NextUpdate: 2022-06-03 00:05:59.080666681 +0000 UTC
DownloadedAt: 2022-06-02 18:32:50.126480885 +0000 UTC

[ainar-g]

The UUID generator is only used in the mobileconfig API, and basically just as a random number with no actual need for cryptographically secure randomness. See PayloadUUID here.

The kardianos/service one has been acknowledged as invalid by the original reporter, see here.

With all that said, we plan a release on Monday, which will include a Go update, and we should probably update those dependencies as well just in case.

Also, which tool did you use to find those? Ah, I see the “made with trivy” part now. Thanks!

[Baptiste-Leterrier]

Hi there,
thanks for the answer, I used trivy.

I was running a scan of all my Docker images with it.

[ainar-g]

This is now done in the latest edge build. Will also go into the next beta and release.