{"vulnerability": "cve-2020-24616", "sightings": [{"uuid": "99b8ce4f-695e-4d04-8a67-269f659f4012", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2020-24616", "type": "seen", "source": "https://gist.github.com/hypergalois/e7077b83b2dbb66313dd9cc387d14c0c", "content": "# Affected-Version External Validation Bundle\n\nThis is the current advisory-owner publication packet.\n\n## Summary\n\n- source queue rows: `33`\n- publication-eligible queue rows: `9`\n- non-publication queue rows retained internally: `24`\n- publication units: `9`\n- GitHub issue units: `5`\n- manual route units: `4`\n- zip SHA-256: `d418fc3b820414447687442551c613c78fec5ef080c3fa9440c354b0957faedd`\n\n## Publication Units\n\n| Candidate | Target | Route | Priority |\n|---|---|---|---|\n| `CVE-2018-19360` | `GHSA` | `https://github.com/github/advisory-database` | `P0` |\n| `CVE-2018-19360` | `NVD` | `https://nvd.nist.gov/vuln` | `P0` |\n| `CVE-2019-10219` | `GHSA` | `https://github.com/github/advisory-database` | `P0` |\n| `CVE-2020-24616` | `GHSA` | `https://github.com/github/advisory-database` | `P0` |\n| `CVE-2020-24616` | `NVD` | `https://nvd.nist.gov/vuln` | `P0` |\n| `CVE-2024-22257` | `NVD` | `https://nvd.nist.gov/vuln` | `P0` |\n| `CVE-2024-22257` | `CVE` | `https://www.cve.org/ResourcesSupport/ReportRequest` | `P0` |\n| `CVE-2026-40180` | `GHSA` | `https://github.com/github/advisory-database` | `P1` |\n| `CVE-2026-40180` | `OSV` | `https://github.com/google/osv.dev` | `P1` |\n\n## Payloads\n\n### CVE-2018-19360 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `8272a04cb4c4fe332d317d5cba26f51a5d9a7aa38b7525e8a8c4b706e743a007`\n\n# CVE-2018-19360: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2018-19360`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2018-19360__GHSA.md` | `7e442e4f016bec5701d06bb184eb47cd1379d288ef80d23e6b4cb74d35af2ba8` |\n\n## Reproduction\n\n```sh\nmake cve-2018-19360\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `7e442e4f016bec5701d06bb184eb47cd1379d288ef80d23e6b4cb74d35af2ba8`\n- target-specific report: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2018-19360`\n- bitstring: `1111101010`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `2`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc1`\n  - version: `2.7.0-rc1`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc2`\n  - version: `2.7.0-rc2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc3`\n  - version: `2.7.0-rc3`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2018-19360 / NVD\n\n- route: `https://nvd.nist.gov/vuln`\n- payload SHA-256: `174c0431cd676c8fe0df96c362bfe4e7c2d0d73b486411ad39da49cd03b6073c`\n\n# CVE-2018-19360: executable affected-version evidence for NVD\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2018-19360`\n- route URL: `https://nvd.nist.gov/vuln`\n- targets: `NVD`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `NVD` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2018-19360__NVD.md` | `20595e055968d39065c456d63d5d502d243d1753b5648c2e009a09d4ec9c465b` |\n\n## Reproduction\n\n```sh\nmake cve-2018-19360\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: NVD / claim-source\n\n- target-specific body SHA-256: `20595e055968d39065c456d63d5d502d243d1753b5648c2e009a09d4ec9c465b`\n- target-specific report: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2018-19360`\n- bitstring: `1111101010`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `2`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc1`\n  - version: `2.7.0-rc1`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc2`\n  - version: `2.7.0-rc2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc3`\n  - version: `2.7.0-rc3`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2019-10219 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `72a79b62a61b2d0424460a5ee2a222650a0ed48fae1b859fcad1af61ff5b703f`\n\n# CVE-2019-10219: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2019-10219`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `6`\n- source-disagreement versions: `7`\n- report paths: `external_validation_reports/CVE-2019-10219_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2019-10219__GHSA.md` | `9d0c749fe586c86095bd1bd83e828eca5b71d7c160843ad653fad8e28d645090` |\n\n## Reproduction\n\n```sh\nmake cve-2019-10219\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `9d0c749fe586c86095bd1bd83e828eca5b71d7c160843ad653fad8e28d645090`\n- target-specific report: `external_validation_reports/CVE-2019-10219_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2019-10219`\n- bitstring: `011111111001100`\n- minimum interval cover: `2`\n- V-S-V witnesses: `1`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `2`\n## Projection-Loss Coordinates\n\n- `org.hibernate:hibernate-validator:5.1.3.Final`\n  - version: `5.1.3.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.2.5.Final`\n  - version: `5.2.5.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.3.6.Final`\n  - version: `5.3.6.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.4.2.Final`\n  - version: `5.4.2.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.4.3.Final`\n  - version: `5.4.3.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate.validator:hibernate-validator:6.1.0.Alpha6`\n  - version: `6.1.0.Alpha6`\n  - claim projection decisions: `GHSA:fixed`\n  - excluding sources: `GHSA`\n  - detail: GHSA: version equals GHSA first_patched_version\n## Source Disagreements\n\n- versions with source disagreement: `4.3.2.Final, 5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6`\n\n### CVE-2020-24616 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `5f870288db037a32053feb076e5744ba384991db9a10aa8ec0a56f03b17e0aee`\n\n# CVE-2020-24616: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2020-24616`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2020-24616__GHSA.md` | `ccb663cab76d7ace2261a5a03691f902a2410c6cc13666fc56859371ea854cc4` |\n\n## Reproduction\n\n```sh\nmake cve-2020-24616\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `ccb663cab76d7ace2261a5a03691f902a2410c6cc13666fc56859371ea854cc4`\n- target-specific report: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2020-24616`\n- bitstring: `10110110`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.10.0`\n  - version: `2.10.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.10.5`\n  - version: `2.10.5`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.0`\n  - version: `2.11.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.2`\n  - version: `2.11.2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2020-24616 / NVD\n\n- route: `https://nvd.nist.gov/vuln`\n- payload SHA-256: `9101ea70bf77bbca5ac9128afeef2d86cfd5cabbe894846dc1d11a0ba6937843`\n\n# CVE-2020-24616: executable affected-version evidence for NVD\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2020-24616`\n- route URL: `https://nvd.nist.gov/vuln`\n- targets: `NVD`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `NVD` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2020-24616__NVD.md` | `84164e37953507501f9c9996e9abec7d0a84e757cc3f385e7ab1e9c75befa465` |\n\n## Reproduction\n\n```sh\nmake cve-2020-24616\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: NVD / claim-source\n\n- target-specific body SHA-256: `84164e37953507501f9c9996e9abec7d0a84e757cc3f385e7ab1e9c75befa465`\n- target-specific report: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2020-24616`\n- bitstring: `10110110`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.10.0`\n  - version: `2.10.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.10.5`\n  - version: `2.10.5`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.0`\n  - version: `2.11.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.2`\n  - version: `2.11.2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2024-22257 / NVD\n\n- route: `https://nvd.nist.gov/vuln`\n- payload SHA-256: `d22323305a6e20b05fa22a78f90be1eb3fa1e6a26c46e4a735492fabcadcddf9`\n\n# CVE-2024-22257: executable affected-version evidence for NVD\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2024-22257`\n- route URL: `https://nvd.nist.gov/vuln`\n- targets: `NVD`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `8`\n- report paths: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `NVD` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2024-22257__NVD.md` | `7e8251bd847fae2084d77a34174d311bfc6a08d98eda6108a902d773e1f0931c` |\n\n## Reproduction\n\n```sh\nmake cve-2024-22257\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: NVD / claim-source\n\n- target-specific body SHA-256: `7e8251bd847fae2084d77a34174d311bfc6a08d98eda6108a902d773e1f0931c`\n- target-specific report: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2024-22257`\n- bitstring: `111110101010`\n- minimum interval cover: `4`\n- V-S-V witnesses: `3`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `3`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `org.springframework.security:spring-security-core:2.0.8.RELEASE`\n  - version: `2.0.8.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:3.0.0.RELEASE`\n  - version: `3.0.0.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:4.2.20.RELEASE`\n  - version: `4.2.20.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:5.6.12`\n  - version: `5.6.12`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n## Source Disagreements\n\n- versions with source disagreement: `2.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2`\n\n### CVE-2024-22257 / CVE\n\n- route: `https://www.cve.org/ResourcesSupport/ReportRequest`\n- payload SHA-256: `2303f71a4c64a251d0029bf3203781a7ba3b9cc571440df744f6add4eda1add4`\n\n# CVE-2024-22257: executable affected-version evidence for CVE\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2024-22257`\n- route URL: `https://www.cve.org/ResourcesSupport/ReportRequest`\n- targets: `CVE`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `8`\n- report paths: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `CVE` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2024-22257__CVE.md` | `74ab80e11cc1ddb0019f9289a3766608e93b8386b5fb1d9eeeb84a72ac7d7d3b` |\n\n## Reproduction\n\n```sh\nmake cve-2024-22257\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: CVE / claim-source\n\n- target-specific body SHA-256: `74ab80e11cc1ddb0019f9289a3766608e93b8386b5fb1d9eeeb84a72ac7d7d3b`\n- target-specific report: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2024-22257`\n- bitstring: `111110101010`\n- minimum interval cover: `4`\n- V-S-V witnesses: `3`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `3`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `org.springframework.security:spring-security-core:2.0.8.RELEASE`\n  - version: `2.0.8.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:3.0.0.RELEASE`\n  - version: `3.0.0.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:4.2.20.RELEASE`\n  - version: `4.2.20.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:5.6.12`\n  - version: `5.6.12`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n## Source Disagreements\n\n- versions with source disagreement: `2.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2`\n\n### CVE-2026-40180 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `6d68b018881317fed2214dd04460a6948f601135e1eed9cfc72702569541e307`\n\n# CVE-2026-40180: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2026-40180`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P1`\n- grouped queue rows: `1`\n- P0 rows in group: `0`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P1` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2026-40180__GHSA.md` | `0809d436d6857494ed902d860f91d896d0944b12f59eb201555610d6bbdc08ea` |\n\n## Reproduction\n\n```sh\nmake cve-2026-40180\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `0809d436d6857494ed902d860f91d896d0944b12f59eb201555610d6bbdc08ea`\n- target-specific report: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2026-40180`\n- bitstring: `11100000`\n- minimum interval cover: `1`\n- V-S-V witnesses: `0`\n- zero-error single intervals: `1`\n- full-recall false-positive lower bound: `0`\n- zero-false-positive false-negative lower bound: `0`\n## Projection-Loss Coordinates\n\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0`\n  - version: `2.14.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0-lts`\n  - version: `2.14.0-lts`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.15.0`\n  - version: `2.15.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2026-40180 / OSV\n\n- route: `https://github.com/google/osv.dev`\n- payload SHA-256: `ca791acfd0f6483a434acbf80df1f62c536fb5bb1210176f833a3c5dfd3a91d6`\n\n# CVE-2026-40180: executable affected-version evidence for OSV\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2026-40180`\n- route URL: `https://github.com/google/osv.dev`\n- targets: `OSV`\n- route kinds: `claim-source`\n- priority: `P1`\n- grouped queue rows: `1`\n- P0 rows in group: `0`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `OSV` | `claim-source` | `P1` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2026-40180__OSV.md` | `5e54d610c96742a60ae45d1d3cfaf22f81c05d5cd41495149e208ff4c0a02d4e` |\n\n## Reproduction\n\n```sh\nmake cve-2026-40180\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: OSV / claim-source\n\n- target-specific body SHA-256: `5e54d610c96742a60ae45d1d3cfaf22f81c05d5cd41495149e208ff4c0a02d4e`\n- target-specific report: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2026-40180`\n- bitstring: `11100000`\n- minimum interval cover: `1`\n- V-S-V witnesses: `0`\n- zero-error single intervals: `1`\n- full-recall false-positive lower bound: `0`\n- zero-false-positive false-negative lower bound: `0`\n## Projection-Loss Coordinates\n\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0`\n  - version: `2.14.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0-lts`\n  - version: `2.14.0-lts`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.15.0`\n  - version: `2.15.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n## Source Disagreements\n\n- none recorded for this case\n", "creation_timestamp": "2026-06-30T03:22:28.280573Z"}]}