[GHSA-f626-677r-j5vq] Nette Database SQL injection

[CSIRTTrizna]

Updates

• Affected products
• References

Comments
The vulnerability has been disputed and the resources are no longer available

[darakian]

and the resources are no longer available

This resource?
https://github.com/CSIRTTrizna/CVE-2024-55586

This is a repo under your account is it not?

[CSIRTTrizna]

Used to be yes, however the vulnerability has been disputed and the repository has been made private as a result.

[darakian]

the repo was private before the cve was disputed though. See: #5074 (comment)
Note the time of my comment and the history on the nvd page.

The other link has thankfully been captured by the wayback machine
https://web.archive.org/web/20241211070016/https://www.csirt.sk/nette-framework-vulnerability-permits-sql-injection.html
But with both primary source links now being dead it seems to me that this CVE should really be rejected. Are you the one that requested the cve from mitre? If so please ask them to reject it unless you believe it to be a valid issue and if you believe it to be a valid issue then open up your repo and lets have a conversation 👍

[sheriffjimmy]

@CSIRTTrizna I think that it would be more professional to inform about the fact that reported vulnerability was a false positive instead of removing the article and making your repo private.

[darakian]

@CSIRTTrizna I'd like to get this resolved. Can you comment on how you intend to move forward here?

[CSIRTTrizna]

Hello,
Yes, I have requested the rejection from MITRE, and it was indeed a false positive resulting from a misunderstanding of the functionality and miscommunication with the authors.
I would like to close the issue to ensure that the development of the Nette framework is not delayed because of it.
Thanks.

[darakian]

@CSIRTTrizna cool. We've gone ahead and withdrawn our advisory in the mean time.