ALT-PU-2024-15780-4

Обновление пакета adguardhome в ветке sisyphus

Версия0.108.0-alt1.beta60

Задание#361624

Опубликовано2026-03-15

Макс. серьёзностьCRITICAL

Серьёзность:

Закрытые проблемы (4)

MEDIUM5.4

In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifying the custom filtering rules.

Опубликовано: 2022-10-11Изменено: 2025-05-20

CVSS 3.xСРЕДНЯЯ 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Ссылки

CRITICAL9.8

AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.

Опубликовано: 2026-03-11Изменено: 2026-03-13

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

https://github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-5fg6-wrq4-w5gh

GHSA-5fg6-wrq4-w5gh

CRITICAL9.8

AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass

Опубликовано: 2026-03-12

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-mwwc-3jv2-62j3

MEDIUM4.3

AdGuardHome vulnerable to Cross-Site Request Forgery

Опубликовано: 2022-10-11Изменено: 2022-10-13

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Ссылки