Update "external" CVE on NVD using the GitHub advisory process

[ohader]

That happened in the past:

• security researchers published CVE-2023-30451 via Mitre and published their findings directly
• later, we published a fix and created a new GH advisory at GHSA-w6x2-jg8h-p6mp, reusing CVE-2023-30451

This is the scenario today:

• NVD's https://nvd.nist.gov/vuln/detail/CVE-2023-30451 still has the initially published version without reflecting the details of GHSA-w6x2-jg8h-p6mp (e.g. version ranges, fixes, assessment & description)
• https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-w6x2-jg8h-p6mp/GHSA-w6x2-jg8h-p6mp.json does not seem to be imported/updated by NVD automatically

Thanks in advance for any guidance on this topic 🙏

[cfi-gb]

It seems there is generally no "sync" done in both ways (at least partly) because i have also seen the opposite: Within the Mire CVE entry more recent info was found in comparison to the GHSA advisory.

One example: GHSA-r4wh-9cw3-v2jg which lists Adobe Premiere Pro as being affected while actually Adobe Bridge is the affected product (got changed later in the Mitre CVE entry)

On a related note: I also wonder how the "Reject" state is handled / synced, e.g. CVE-2025-24166 got rejected but GHSA-89f4-8f7w-pp39 doesn't mention anything (yet).