|
1 | 1 | { |
2 | 2 | "currentNews": [ |
| 3 | + { |
| 4 | + "id": 523, |
| 5 | + "displayOnHomepageOrder": 1, |
| 6 | + "newsType": "blog", |
| 7 | + "title": "“CNA Rules v4.1.0” Now in Effect", |
| 8 | + "urlKeywords": "“CNA Rules v4 1 0 in Effect", |
| 9 | + "date": "2025-05-20", |
| 10 | + "author": { |
| 11 | + "name": "CVE Program", |
| 12 | + "organization": { |
| 13 | + "name": "CVE Program", |
| 14 | + "url": "" |
| 15 | + }, |
| 16 | + "title": "", |
| 17 | + "bio": "" |
| 18 | + }, |
| 19 | + "description": [ |
| 20 | + { |
| 21 | + "contentnewsType": "paragraph", |
| 22 | + "content": "The <a href='/ResourcesSupport/AllResources/CNARules'>CVE Numbering Authority (CNA) Operational Rules Version 4.1.0</a> took effect on May 14, 2025. The previous version, <a href='/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf' target='_blank'>CNA Rules v4.0</a>, has been deprecated. CNAs are now required to comply with the <a href='/ResourcesSupport/AllResources/CNARules'>CNA Rules v4.1.0</a>." |
| 23 | + }, |
| 24 | + { |
| 25 | + "contentnewsType": "paragraph", |
| 26 | + "content": "CNA Rules v4.1.0, which has no breaking changes and was updated to improve the clarity of the rules, was approved by the <a href='/ProgramOrganization/Board'>CVE Board</a> on May 14, 2025. A <a href='https://github.com/CVEProject/cve-documents/compare/7cc0028...2fbfcdc#diff-74734f54797ef9d6cd30e3ad39f5c3b50c71a10c0f4cb94eb5bb289bebf5fe85' target='_blank'>detailed report</a> is available on GitHub that lists all changes between Version 4.0 and Version 4.1.0." |
| 27 | + }, |
| 28 | + { |
| 29 | + "contentnewsType": "paragraph", |
| 30 | + "content": "Non-breaking changes for CNA Rules v4.1.0 include, but are not limited to, the following:" |
| 31 | + }, |
| 32 | + { |
| 33 | + "contentnewsType": "paragraph", |
| 34 | + "content": "<ul><li><strong>Improved clarity regarding end-of-life (EOL) assignments</strong><ul><li>Added a new section: “4.1.13 The state of a Product being EOL, by itself, MUST NOT be determined to be a Vulnerability.”</li><li>Renumbered sections 4.1.13 and 4.1.14 to 4.1.14 and 4.1.15</li><li>Added a new section: “4.2.17.7 CNAs MUST NOT assign CVE IDs for the sole reason that a Product is or has become EOL. See 4.1.13.”</li><li>Added a new section: “4.2.17.8 If a CNA assigns a CVE ID for a Vulnerability in a supported Product or version, and the same Vulnerability exists in an EOL Product or version, CNAs MUST NOT assign a separate CVE ID for the same Vulnerability in the EOL Product or version. Similar to 4.2.15, there is only one Vulnerability which MUST have one CVE ID.”</li></ul></li><li><strong>Enhanced information about the year portion of the CVE ID</strong><ul><li>Added a new section: “4.2.21 CNAs SHOULD assign the year part of a CVE ID based on the calendar year in which the vulnerability was first Publicly Disclosed, the CVE Record was first published, or the CVE ID was reserved for the vulnerability in question. CNAs MUST NOT, based on this rule, change CVE IDs that have already been published. CNAs MAY assign CVE IDs in one calendar year and publish the corresponding CVE Record in the next calendar year.”</li></ul></li><li><strong>Updated requirements for references</strong><ul><li>Updated an existing section to clearly state that the CVE Record must not be used as its own reference: “5.1.10 MUST contain at least one public reference (see 5.3) that MUST NOT be a reference to the CVE Record itself.”</li></ul></li><li><strong>Grammar fixes and other improvements throughout the document</strong></li></ul>" |
| 35 | + }, |
| 36 | + { |
| 37 | + "contentnewsType": "paragraph", |
| 38 | + "content": "The CNA Rules v4.1.0 is available now on the CVE website as a <a href='/Resources/Roles/Cnas/CNA_Rules_v4.1.0.pdf' target='_blank'>PDF</a> (0.2MB) and on the <a href='/ResourcesSupport/AllResources/CNARules'>CNA Rules web page</a>." |
| 39 | + } |
| 40 | + ] |
| 41 | + }, |
| 42 | + { |
| 43 | + "id": 522, |
| 44 | + "newsType": "news", |
| 45 | + "title": "Extreme Networks, Inc. Added as CVE Numbering Authority (CNA)", |
| 46 | + "urlKeywords": "Extreme Networks Added as CNA", |
| 47 | + "date": "2025-05-20", |
| 48 | + "description": [ |
| 49 | + { |
| 50 | + "contentnewsType": "paragraph", |
| 51 | + "content": "<a href='/PartnerInformation/ListofPartners/partner/ExtremeNetworks'>Extreme Networks, Inc.</a> is now a <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCNA'>CVE Numbering Authority (CNA)</a> for vulnerabilities discovered in Extreme Networks, Inc.’s products and services." |
| 52 | + }, |
| 53 | + { |
| 54 | + "contentnewsType": "paragraph", |
| 55 | + "content": "To date, <a href='/PartnerInformation/ListofPartners'>457 CNAs</a> (454 CNAs and 3 CNA-LRs) from <a href='/ProgramOrganization/CNAs'>40 countries</a> and 1 no country affiliation have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCVEID'>CVE Identifiers (CVE IDs)</a> and publish <a href='/ResourcesSupport/Glossary?activeTerm=glossaryRecord'>CVE Records</a> for vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. Extreme Networks, Inc. is the 247th CNA from USA." |
| 56 | + }, |
| 57 | + { |
| 58 | + "contentnewsType": "paragraph", |
| 59 | + "content": "Extreme Networks, Inc.’s Root is the <a href='/PartnerInformation/ListofPartners/partner/mitre'>MITRE Top-Level Root</a>." |
| 60 | + } |
| 61 | + ] |
| 62 | + }, |
| 63 | + { |
| 64 | + "id": 521, |
| 65 | + "newsType": "news", |
| 66 | + "title": "Minutes from CVE Board Teleconference Meeting on April 30 Now Available", |
| 67 | + "urlKeywords": "CVE Board Minutes from April 30", |
| 68 | + "date": "2025-05-20", |
| 69 | + "description": [ |
| 70 | + { |
| 71 | + "contentnewsType": "paragraph", |
| 72 | + "content": "The <a href='/ProgramOrganization/Board'>CVE Board</a> held a teleconference meeting on April 30, 2025. Read the <a href='https://cve.mitre.org/community/board/meeting_summaries/30_April_2025.pdf' target='_blank'>meeting minutes summary</a>." |
| 73 | + }, |
| 74 | + { |
| 75 | + "contentnewsType": "paragraph", |
| 76 | + "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information." |
| 77 | + } |
| 78 | + ] |
| 79 | + }, |
| 80 | + { |
| 81 | + "id": 520, |
| 82 | + "newsType": "news", |
| 83 | + "title": "Minutes from CVE Board Teleconference Meeting on April 16 Now Available", |
| 84 | + "urlKeywords": "CVE Board Minutes from April 16", |
| 85 | + "date": "2025-05-20", |
| 86 | + "description": [ |
| 87 | + { |
| 88 | + "contentnewsType": "paragraph", |
| 89 | + "content": "The <a href='/ProgramOrganization/Board'>CVE Board</a> held a teleconference meeting on April 16, 2025. Read the <a href='https://cve.mitre.org/community/board/meeting_summaries/16_April_2025.pdf' target='_blank'>meeting minutes summary</a>." |
| 90 | + }, |
| 91 | + { |
| 92 | + "contentnewsType": "paragraph", |
| 93 | + "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information." |
| 94 | + } |
| 95 | + ] |
| 96 | + }, |
3 | 97 | { |
4 | 98 | "id": 519, |
| 99 | + "displayOnHomepageOrder": 0, |
5 | 100 | "newsType": "news", |
6 | 101 | "title": "CNA Operational Rules Updated to Version 4.1.0", |
7 | 102 | "urlKeywords": "CNA Rules Updated to Version 4 1 0", |
|
0 commit comments