MITRE page contains a little bit more information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52071

Hope this bullshit will not cease a little bit once you became your own CNA. There should be some penalty for people filling bogus CVEs with MITRE…

> The curl security team will work on getting this CVE rejected.

Good luck on that. At best, it will be labelled as "disputed".

I would recommend you to become a CNA yourself for curl. The general CVE policy is that any reporter need to first reach out to the appropriate CNA to get a CVE for an issue. A reporter can go to a root CNA too, but only after the project CNA has been reached. And there are some conflict resolution policy if the CNA and reporter disagrees.

It's a bit of "paperwork" and administrative steps to get approved as a CNA. You need to document security policies and processes and show you understand how CVE's are worded and registered. But I would expect curl to be in a good position to get approved.

We did that a while back in OpenVPN. And the tooling (in particular cvelib) makes it pretty easy to register and publish CVEs.

This is perfect...

"We cannot say which and the distinction does not matter to us."

"Do not blindly trust the CVE system. It is full of cracks and bogus reports such as CVE-2023-52071."

Okay that seems a bit extreme. Sure do your research seems verify stuff but is it really full of bogus reports?

i wouldn't call 5.8% of cves to be "full" of junk.

Maybe I'm just focusing too much on full there. Just seems unnecessary hyperbole that tries to call the entire nvd into question on its credibility.

It does seem nvd does respond well to rejection process.

they literally have a dashboard

https://nvd.nist.gov/general/nvd-dashboard