Update GHSA-mqcp-p2hv-vw6x.json #5912
Conversation
github-actions
bot
changed the base branch from
main
to
odaysec/advisory-improvement-5912
advisory-database
bot
merged commit 1233ee8
into
github:odaysec/advisory-improvement-5912
|
Hi @odaysec! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
Hi @odaysec, after reading more about this vulnerability, including the description of the fix you provided at rails/thor#897, I agree that changing the severity from Because of the sentence If you haven't already, I would encourage you to reach out to MITRE at https://cveform.mitre.org. MITRE provided the CVSS of https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N, and they should also be made aware of the need to make the CVSS more accurate. |
|
Why was CVE emitted for that PR? None of the maintainers requested it. |
|
Hi @rafaelfranca, I'm confused and want to get a better understanding of what you're asking about. MITRE issued CVE-2025-54314 after receiving public reference links that discussed https://hackerone.com/reports/3260153 and the subsequent PR rails/thor#897 and change notes https://github.com/rails/thor/releases/tag/v1.4.0. Was the HackerOne report https://hackerone.com/reports/3260153 accepted? I see that you merged rails/thor#897 on 18 July 2025 and believed the existence of a PR that a maintainer or maintainers accepted indicated acceptance of the validity of the underlying situation the PR was trying to fix. I also saw you mention rails/thor#909 in this comment. Has issue 909 and/or anything else led you to reevaluate CVE-2025-54314? |
|
The PR was merged but there is no security vulnerability that is being fixed there. I didn't, neither any of the other Rails maintainers requested a CVE to be issues for that PR because there is no security vulnerability. The method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments to cause a security incident, so there is no vulnerability. rails/thor#909 made be look on the original PR again, and see that there was a CVE issued for it even if we didn't request any, but the vulnerability never existed. |
|
@rafaelfranca Thank you for explaining! I recommend reaching out to MITRE at https://cveform.mitre.org/ to file a CVE dispute because they are the CVE Numbering Authority that issued the CVE. Tell them what you've told me, and it would be helpful to show them the conversation that we've had in #5912 so they can get context quickly. |
|
Thanks! I disputed that CVE. Does it delete from the adivisory database after they approve the dispute? |
|
When MITRE marks a CVE as "disputed," that doesn't do anything automatically to the advisory. An advisory curator still has to read the note in the CVE record about the reason for the dispute and then decided whether or not to initiate the advisory withdrawal process. When my teammates and I receive notification of a CVE record becoming disputed, we read the reason(s) why the dispute occurred and any reference links that can provide context and decide whether or not to withdraw the advisory attached to the CVE. To clarify, MITRE doesn't "approve" CVE disputes. They just make a note that there is a dispute and why the CVE is disputed. It's helpful for them to have a public record of someone (e.g. a maintainer) disputing the validity of a CVE record so that readers of the CVE may see the reason for the dispute and the context of the dispute for themselves. I'm interest to know -- What was the original answer in the HackerOne report about the accuracy of the security impact the report described? |
None really. The CVE was created even before anyone in the Rails team could reply. I requested the report to be made public and will link as soon it is made public. |
|
3 participants
advisory was requested by thor team