CVE CyberSecurity Database News

CVE-2022-38322 - What Happens When a CVE Gets Rejected?

Poster -

When browsing vulnerability databases or reading security bulletins, you might come across entries like CVE-2022-38322 that come with a note: "Rejected" or "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority." This can be confusing, especially if you’re trying to understand whether your systems are still at risk. In this article, we'll look at CVE-2022-38322 as a case study to explain what a rejected CVE means, why it happens, and why it's important to pay attention to these entries.

What Is CVE-2022-38322?

When first listed, CVE-2022-38322 appeared as just another entry in the massive Common Vulnerabilities and Exposures (CVE) catalog. A CVE is nothing more than a unique identifier for a particular security vulnerability, used worldwide as a reference for threat intelligence, security patches, and vulnerability scanners.

However, if you check the official CVE record, you'll see this:

> REJECTED
> --
> This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
> - Reason: This candidate was withdrawn by its CNA.
> - Further Action: None.
> - Notes: None.

Mistakes: Simple administrative or reporting errors.

Let's say a researcher thinks they've found a vulnerability in a popular open source project and requests a CVE. If, after investigation, the maintainers determine the code behaves as intended or was already patched and tracked under another CVE, they may recommend rejection of the new CVE number.

What Does It Mean for You?

If you see that a vulnerability—like CVE-2022-38322—is labeled "Rejected," no further action is needed. There is no exploit, no risk, and no patch required. Tools that scan for vulnerabilities should ignore this entry. It is not a security issue anymore.

Example: How a Rejected CVE Looks in a Scanner

Some automated tools may still show rejected CVEs if their databases aren't updated. Here’s a sample output from a vulnerability scanning script:

vulnerabilities = [
    {"id": "CVE-2022-38322", "status": "rejected"},
    {"id": "CVE-2022-30797", "status": "active"},
]

for vuln in vulnerabilities:
    if vuln["status"] == "rejected":
        print(f"{vuln['id']} is rejected! No action needed.")
    else:
        print(f"{vuln['id']} is active. Investigate further.")

Output

CVE-2022-38322 is rejected! No action needed.
CVE-2022-30797 is active. Investigate further.

Exploit Details? There Are None

Because CVE-2022-38322 has been rejected, there is no associated vulnerability, no PoC code, and no exploit to worry about. Any claims to the contrary are likely mistakes or misunderstandings.

Official References

- CVE-2022-38322 - Mitre
- About CVE Entries Marked REJECTED

Final Thoughts

When you see a *rejected* CVE entry, like CVE-2022-38322, rest assured: there’s nothing for you to do. Rejected CVEs help keep the vulnerability database accurate and trustworthy. Always double-check your scanner results and read CVE descriptions carefully—sometimes the most important thing to know is when nothing needs to be done.

Timeline

Published on: 08/12/2024 13:38:09 UTC