CVE has assignment "rules" to avoid problems like these, but I get the impression that they're not really enforced anywhere by anyone.
What do you call rules that aren't enforced? "Suggestions"?
Conversation
Notices
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 17-Jan-2024 03:57:07 JST 
Will Dormann
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 17-Jan-2024 03:57:08 JST
Will Dormann
This isn't the first time CVE abuse for libraries has happened.
Take the recent libweb vulnerability. Apple got the report and assigned CVE-2023-41064 to "ImageIO"
Google got the report and assigned CVE-2023-4863 to "Chrome"
Eventually MITRE fixed the latter CVE to be libwebp. -
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 17-Jan-2024 03:57:09 JST
Will Dormann
CVE wonders:
Apache created CVE-2023-49070 to capture: "Our OFBiz product has Apache XML-RPC, which is vulnerable to CVE-2019-17570".
This seems... wrong?
If every vendor created a new CVE to capture "Hey, we use library <foo> that already has a CVE", how can this possibly scale?
-
Embed this notice
All GNU social JP content and data are available under the