Need to identify and flag REJECTED CVEs #1221
Description
For the purls:
- pkg:maven/com.fasterxml.woodstox/woodstox-core@5.3.0
- pkg:maven/com.fasterxml.woodstox/woodstox-core@6.2.4
There are 4 REJECTED CVEs in the NVD:
- 2022-40153
- 2022-40154
- 2022-40155
- 2022-40156
For the purl: pkg:maven/com.thoughtworks.xstream/xstream@1.4.20 there are 2 REJECTED CVEs:
- 2022-40153
- 2022-40156
The real CVE for this vuln is 2022-40152
The NVD page for each REJECTED CVE says:
Rejected
CVE has been marked "REJECT" in the CVE List. These CVEs are stored in the NVD, but do not show up in search results.
Current Description
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.
I found these cases from reviewing a VCIO report for a product so the cases are incidental.
We need to identify and flag REJECT CVEs. I am not sure how to report these cases or how common they are.
A first solution step should be to investigate how common REJECT CVEs are in the NVD.