A CVE ID should be assigned anyway, this will really help downstream distros to track this issue. Please proceed to request one, Apache should be the correct CNA.