12

Can anyone explain, why the numbering from this years CVE entries jumped from CVE-2017-15xxx to CVE-2017-1000xxx?

What about entries with the numbering sequence CVE-2017-16xxx, CVE-2017-17xxx, and so on?

Why are ~984 000 entries not numbered sequentially? Reading the official documentation gives me no idea about the answer to this question.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
urandom
  • 161
  • 6
  • 3
    This might have to do with namespaces being reserved for handlers of responsible disclosure other than mitre. By allotting each some space, the sequence is broken. – Tobi Nary Oct 24 '17 at 10:03
  • 2
    I also noticed this today when I tumbled upon https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101. Given this number it feels like @SmokeDispenser is right. – Krishna Pandey Oct 24 '17 at 10:46
  • 2
    CNAs are allowed to reserve blocks of CVE IDs to use them later. – Patrick Mevzek Nov 27 '17 at 00:16

2 Answers2

4

Probably because this missing block was assigned to a CVE Numbering Authorities (CNA): https://cve.mitre.org/cve/cna.html. As soon as a CNA have a vulnerability affecting one of their own products, then those missing CVE will be assigned.

In the CVE details page, you can check which CNA assigned a specific CVE, i.e: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8811 (Debian did it)

VP.
  • 1,043
  • 1
  • 11
  • 12
3

CVE IDs are assigned by CVE Numbering Authorities (CNA).

The CVE program uses a federated CNA structure.

CNA structure

When a CNA wants to assign a CVE ID, it must request a CVE ID block from its parent, which will mark this block as reserved.

CVE ID assignment process

All CVE-20XX-1000XXX vulnerabilities were allocated by the Distributed Weakness Filing Project, which is a root CNA, according to the CNA list.

As stated by MITRE, the DWF project were assigned a 7-digit block to differentiate their assignments from other CNA assignments, that's why there's such a large jump.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65