There is a check for CVE IDs to be restricted by the environment variable CVE_MAX_ALLOWABLE_CVE_YEAR. This has proven to be too restrictive for most uses since that rule is already checked in CVE REST Services, and keeping it in cve-core introduces a synchronization vulnerability among services.
I suggest changing the code to default to allowing any year, and only check the CVE_MAX_ALLOWABLE_CVE_YEAR in use cases that require it (e.g., an admin app or a verification service).
There is a check for CVE IDs to be restricted by the environment variable CVE_MAX_ALLOWABLE_CVE_YEAR. This has proven to be too restrictive for most uses since that rule is already checked in CVE REST Services, and keeping it in cve-core introduces a synchronization vulnerability among services.
I suggest changing the code to default to allowing any year, and only check the CVE_MAX_ALLOWABLE_CVE_YEAR in use cases that require it (e.g., an admin app or a verification service).