6

I am writing an application which uses CVE identifiers to cross-reference vulnerabilities. I would like to make it compatible with future CVE identifiers.

If it happens that there are more than 9999 CVE identifiers in a year, what number will follow after 9999?

For example what will be the identifier after CVE-2012-9999? Will it be CVE-2012-10000 or something else?

The highest CVE number in 2011 seems to be CVE-2011-5096 thus it is just a matter of time when this becomes a real issue.

I have tried to find this out at https://cve.mitre.org/ but I can only find the following:

CVE entries and candidates are of the form CVE-YYYY-XXXX where YYYY is a year, and XXXX is a number.

That does not really help.

snap
  • 163
  • 4

3 Answers3

13

The Common Vulnerability and Exposures system is maintained by Mitre. The Mitre corporation manages the CVE list and serves as an organizer for the CVE community.

At the start of the year Mitre will allocate blocks of CVE numbers to various CVE Numbering authorities out of the full 9998 available (0001-9999). As a result, all CVE numbers issued to an authority within a given year will fall within a range. For example in 2012 all CVE numbers issued to Apple products fall within the CVE-2012-3600 range. Mitre will leave unallocated space in order to issue new CVE numbers if a CVE authority were to exhaust their supply.

So what about your question? What if they have 10,000 CVE numbers issued in one year? Well the most ever issued was 6,608 in 2006. So that was close, but since 2006 there has been an unsettling rate of decline so it doesn't look like we will ever issue 10,000 CVE numbers in one year. If we were, I suspect that we will have CVE-2012-10000. They would do this because its regular, the only reason why they have the four digit number scheme is to allow for pre-allocation to CVE authorities.

From my experience emailing Mitre is usually the best way to obtain CVE numbers. They treat you with respect and have the option to preserve your anonymity. Mitre will work with vendors to make sure the issues are fixed and issue a CVE to the public when a fix is available.

rook
  • 47,238
  • 10
  • 96
  • 182
  • 3
    +1 for the advice around emailing Mitre. They're curt, professional and accomodating, even in cases where the vendor is being (to put it bluntly) an asshole. – Polynomial Aug 06 '12 at 06:08
4

There was no need for anything beyond CVE-2012-9999 to be issued, as the last CVE ID issued for 2012 was CVE-2012-6700.

Since then, MITRE has determined that a situation such as you propose would be handled simply by adding digits to the end of the ID when needed. See my answer on the linked duplicate for more details.

Community
  • 1
Iszi
  • 27,127
  • 18
  • 101
  • 163
2

So as of now we have larger CVEs (the DWF project https://distributedweaknessfiling.org/ has been assigned CVE-YEAR-1000000 through CVE-YEAR-1999999). I just assigned CVE-2016-1000000 to an issue found by Tenable (Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection). So if you have not implemented https://cve.mitre.org/cve/identifiers/syntaxchange.html you're in for a bad time.

Kurt
  • 266
  • 1
  • 6