The package is blocked by Roave/SecurityAdvisories based on CVE-2024-55586

[jkavalik]

Advisory link - GHSA-f626-677r-j5vq
What I suppose was the "source" - https://www.csirt.sk/nette-framework-vulnerability-permits-sql-injection.html

Result - all versions other than 4.0 RC are disallowed.

Imho the app allowing unfiltered user input into the DB library is the definition of app bug, not library bug, and the "vulnerability" designations seems nonsense to me, but I am no security expert.

[mfn]

Wow, this is such a shitshow.

Now this, last week there was also a similar thing -> Roave/SecurityAdvisories#137 (comment)

Granted, I'm not associated with either and the final verdict has not been spoken yet as to the validity of the claims, but being cautious here I too think the claim as presented on the external link page is not correct.

[dg]

I found emails that they wrote to me about this. So I replied to them that it’s not a bug, that this behavior is intentional and is also documented. However, I have no idea if it’s possible to revoke such a CVE.

[mfn]

The real travesty is that it seems anyone can publish any CVE for any package, without maintainer acknowledgement, but then you need to proof they're not valid etc. Something isn't right here.

[spaze]

@dg you can start by "improving" (their word, not mine) the GitHub Security Advisory (GHSA) here https://github.com/advisories/GHSA-f626-677r-j5vq/improve

Once/if the GHSA will be invalidated, Roave/SecurityAdvisories will/should stop blocking the installation (and the same for composer audit).

Then you can request a CVE rejection here https://cveform.mitre.org/ (Rejected CVE is an official term)

I wouldn't mind much if the CVE will not be rejected (heard there's a chance it won't, in general for various reasons, not this particular CVE) as long as the GHSA is.

I would "improve" the GHSA entry but I think it's better when the "improvement" comes from the maintainer, let's see.

[jkavalik]

Great, so a "security expert" does not understand basic principles, says something about "spent time" but - THEIR nonsense stopped OUR CI in its tracks for days without any reason whatsoever...

[8ctopus]

Any update on when this will be solved? Maybe @dg could release version 3.2.5, this way the block could be removed without waiting for the CVE rejection.

[otazniksk]

HINT:
Ignore this CVE in composer.json (temporary ignoring) for unlock

    "config": {
        "audit": {
            "ignore": {
                "CVE-2024-55586": "Visit https://github.com/nette/database/issues/314"
            }
        }
    },

[spaze]

I have created a PR Roave/SecurityAdvisoriesBuilder#759 to ignore the GHSA/CVE in roave/security-advisories.

[spaze]

The PR was merged and roave/security-advisories doesn't block nette/database anymore Roave/SecurityAdvisories@3076981

[8ctopus]

@spaze Thank you!

[dg]

It sucks that Composer itself started reporting it to me today, so I'll probably release a new version of the package.

[xabbuh]

@dg you should be able to let Packagist ignore this advisory (see composer/packagist#1493 for such an example)

[spaze]

To recap, new 3.2.5 version was released yesterday (thanks @dg!) so composer doesn't complain anymore when installing or running composer audit, roave/security-advisories has the GHSA/CVE excluded so CI pipelines should be green once again, mine are.

The CVE itself is still in "disputed" status, "Awaiting Analysis".