As far as I can tell/recall, the numbers are not assigned sequentially (thankfully, to your point).
Here: https://cve.mitre.org/cve/identifiers/syntaxchange.html they're called arbitrary, and here: https://cve.mitre.org/cve/identifiers/tech-guidance.html under "Considerations for Output Format" and "Sorting", they say "CVE IDs are not allocated sequentially based on the disclosure date".
I believe that CNAs (CVE Numbering Authorities) are allocated blocks by the CNA or other authority above them in the hierarchy, so CVE-2022-25XXX would be allocated to a specific CNA, and they would hand out numbers as needed (or assign to vulnerabilities within their own products). Though, in this case, that was handed out by Mitre Corp., which is a top-level CNA.
That assignment process I don't have a source for, though, so I may be wrong. Here's a bit of explanation on the hierarchy though: https://www.cve.org/ProgramOrganization/Structure
David Dyck david@ddyck.ca
-----Original Message----- From: Roundtable roundtable-bounces@muug.ca On Behalf Of Glen Ditchfield Sent: March 16, 2022 9:49 AM To: roundtable@muug.ca Subject: Re: [RndTbl] Remotely exploitable netfilter
On Wednesday, March 16, 2022 8:47:48 A.M. CDT John Lange wrote:
When you're firewall is the vulnerability, it's probably not good. Posting for awareness.
https://nvd.nist.gov/vuln/detail/CVE-2022-25636
John
I suppose CVE numbers are given out sequentially? And we're at 25,636, in mid-March? Seems like it was only yesterday when they had to expand the CVE ID format beyond 4 digits...
_______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable