JamieSlome
commented
2 years ago @jaapmarcus - thanks for notifying us about the issue.
It looks like a gap in my manual process of assigning the CVE. Any reports that have been marked as None or Low will no longer receive CVEs (which is why this report didn't receive one). I should have first checked whether this was the case with this report before publishing the CVE manually.
I will keep this ticket referenced as it certainly demonstrates the need for better automation around CVE assignment and process (#2194).
In the meantime, I have adjusted the CVSS of the CVE to low 👍 (https://github.com/CVEProject/cvelist/pull/4952). Once this has been merged the CVE should update within the hour.
For my repository I validated yesterday a venerability in Huntr.dev:
When I went to adjust Severity I had the option in a select box to select: None, Low, Medium, High, Critical
When selecting "Severity" to low the form closed and saved the results.
After the vulnerability has been patched / released @JamieSlome published the CVE (https://nvd.nist.gov/vuln/detail/CVE-2022-0986)
And Huntr.dev
Report: https://huntr.dev/bounties/57635c78-303f-412f-b75a-623df9fa9edd/
After the vulnerability has been "adjusted" the the correct CVSS score should be listed in the CVE...