[capableweb]

> Will you release any information about the vulnerability?

> Yes, we’ll be releasing the patch publicly, as well as a CVE and an explanation in two weeks. We’re delaying release to give our install base a bit of extra time before this is widely exploited.

From their blog.

[ungamedplayer]

Oh absolutely, but its trivial to get a CVE from the relevant CNA's. A webform or a phone call.

Its a bit silly.

[capableweb]

Don't you have to share more details about the exploit then? That seems to be the thing they're trying to avoid for now.

[worthless-trash]

Negative, you can request a CVE without specific details, CNA's do this all the time until unembargo.