CVE-2021-46975 - Understanding a Rejected CVE – What Does It Mean and Why Should You Care?

If you’ve been searching for information about CVE-2021-46975, you may have noticed something odd. Unlike other security vulnerabilities, there’s very little useful info about this CVE online. In this post, we’ll explore what a rejected CVE actually is, dig into the story behind CVE-2021-46975, and explain why some CVEs get rejected or withdrawn. We’ll also show how to interpret a rejected CVE when you find one in a report or scanner output.

What Is CVE-2021-46975?

The short answer: CVE-2021-46975 does not describe a real vulnerability. If you try to look it up in the official CVE database, you’ll see this:

> CVE-2021-46975 :
> Rejected.
> REASON: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

But what does this mean, and why would a CVE get rejected?

How CVE Numbers Work

CVE means Common Vulnerabilities and Exposures – basically a way for researchers and vendors to refer to specific security issues in a standard way. When someone thinks they’ve found a new security flaw, they (or their vendor) can request a CVE number from an official CVE Numbering Authority (CNA). These are organizations chosen by MITRE to manage the assignment of CVE IDs.

A CVE number might get requested and assigned, but later on, the researchers discover

- The bug isn’t a real vulnerability (it can’t actually be exploited, or it’s just a misconfiguration).

The issue was already fixed before public exposure.

When this happens, the CNA withdraws or rejects the CVE. The CVE entry will be forever marked as “REJECTED”, and it should not be used in advisories or tools anymore.

Details on CVE-2021-46975

There is no public exploit, code sample, or affected product for CVE-2021-46975, because it is not a valid vulnerability. The only “official” content is the rejection notice.

Reference:
- CVE-2021-46975 entry on MITRE

Here’s what a rejected CVE looks like in the MITRE database

{
  "cve_id": "CVE-2021-46975",
  "state": "REJECT",
  "description": "REJECTED: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.",
  "references": []
}

Here’s a Python code snippet that checks for rejected CVEs in a vulnerability list

def is_cve_rejected(cve_entry):
    if 'REJECT' in cve_entry['description']:
        return True
    return False

sample_cve_entry = {
    'cve_id': 'CVE-2021-46975',
    'description': 'REJECTED: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.'
}

if is_cve_rejected(sample_cve_entry):
    print("This CVE is rejected. No action needed.")
else:
    print("This CVE is still valid!")

What to Do If You Find a REJECTED CVE in Your Report

Don’t panic!

More Information & References

- CVE-2021-46975 on MITRE
- CVE Program FAQ: What does it mean for a CVE Entry to be rejected?
- How CVE IDs are Assigned

Conclusion

CVE-2021-46975 is an example of a rejected CVE – a placeholder number for a vulnerability that never made it to publication. While it’s easy to get concerned if you see a scary CVE number in a scan, always check the official record. If it says “REJECTED”, you can relax – there’s nothing to patch or fix.

If you want to keep your systems secure, always rely on up-to-date advisories and double-check the official records before acting on any vulnerability report.

Timeline

Published on: 02/27/2024 19:04:07 UTC
Last modified on: 03/19/2024 14:15:07 UTC