{"vulnerability": "cve-2024-22257", "sightings": [{"uuid": "aecdb880-7822-46bd-a569-27c122f8bda8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-22257", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/4313", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-22257\n\ud83d\udd25 CVSS Score: 8.1 (CVSS_V3)\n\ud83d\udd39 Description: In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.\n\nSpecifically, an application is vulnerable if:\n\nThe application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.\n\nAn application is not vulnerable if any of the following is true:\n\n* The application does not use AuthenticatedVoter#vote directly.\n* The application does not pass null to AuthenticatedVoter#vote.\n\nNote that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.\n\ud83d\udccf Published: 2024-03-18T15:30:51Z\n\ud83d\udccf Modified: 2025-02-13T19:05:40Z\n\ud83d\udd17 References:\n1. https://nvd.nist.gov/vuln/detail/CVE-2024-22257\n2. https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61\n3. https://github.com/spring-projects/spring-security\n4. https://security.netapp.com/advisory/ntap-20240419-0005\n5. https://spring.io/security/cve-2024-22257", "creation_timestamp": "2025-02-13T19:16:36.000000Z"}, {"uuid": "41da2909-79bd-45e1-bc10-cf8d21a3156c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-22257", "type": "seen", "source": "https://t.me/ctinow/210703", "content": "https://ift.tt/PScVHT0\nCVE-2024-22257", "creation_timestamp": "2024-03-18T16:26:47.000000Z"}, {"uuid": "4c38ab64-d05c-4b9d-b842-f72b0d225c34", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-22257", "type": "seen", "source": "https://t.me/ctinow/210849", "content": "https://ift.tt/b5sYzS4\nCVE-2024-22257", "creation_timestamp": "2024-03-18T19:06:23.000000Z"}, {"uuid": "bee01731-fa33-4d21-8d36-985c012eeb2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-22257", "type": "seen", "source": "https://t.me/ctinow/210708", "content": "https://ift.tt/PScVHT0\nCVE-2024-22257", "creation_timestamp": "2024-03-18T16:26:55.000000Z"}, {"uuid": "aa51fe50-21bb-4683-9742-66888175b8c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2024-22257", "type": "seen", "source": "https://gist.github.com/hypergalois/e7077b83b2dbb66313dd9cc387d14c0c", "content": "# Affected-Version External Validation Bundle\n\nThis is the current advisory-owner publication packet.\n\n## Summary\n\n- source queue rows: `33`\n- publication-eligible queue rows: `9`\n- non-publication queue rows retained internally: `24`\n- publication units: `9`\n- GitHub issue units: `5`\n- manual route units: `4`\n- zip SHA-256: `d418fc3b820414447687442551c613c78fec5ef080c3fa9440c354b0957faedd`\n\n## Publication Units\n\n| Candidate | Target | Route | Priority |\n|---|---|---|---|\n| `CVE-2018-19360` | `GHSA` | `https://github.com/github/advisory-database` | `P0` |\n| `CVE-2018-19360` | `NVD` | `https://nvd.nist.gov/vuln` | `P0` |\n| `CVE-2019-10219` | `GHSA` | `https://github.com/github/advisory-database` | `P0` |\n| `CVE-2020-24616` | `GHSA` | `https://github.com/github/advisory-database` | `P0` |\n| `CVE-2020-24616` | `NVD` | `https://nvd.nist.gov/vuln` | `P0` |\n| `CVE-2024-22257` | `NVD` | `https://nvd.nist.gov/vuln` | `P0` |\n| `CVE-2024-22257` | `CVE` | `https://www.cve.org/ResourcesSupport/ReportRequest` | `P0` |\n| `CVE-2026-40180` | `GHSA` | `https://github.com/github/advisory-database` | `P1` |\n| `CVE-2026-40180` | `OSV` | `https://github.com/google/osv.dev` | `P1` |\n\n## Payloads\n\n### CVE-2018-19360 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `8272a04cb4c4fe332d317d5cba26f51a5d9a7aa38b7525e8a8c4b706e743a007`\n\n# CVE-2018-19360: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2018-19360`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2018-19360__GHSA.md` | `7e442e4f016bec5701d06bb184eb47cd1379d288ef80d23e6b4cb74d35af2ba8` |\n\n## Reproduction\n\n```sh\nmake cve-2018-19360\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `7e442e4f016bec5701d06bb184eb47cd1379d288ef80d23e6b4cb74d35af2ba8`\n- target-specific report: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2018-19360`\n- bitstring: `1111101010`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `2`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc1`\n  - version: `2.7.0-rc1`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc2`\n  - version: `2.7.0-rc2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc3`\n  - version: `2.7.0-rc3`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2018-19360 / NVD\n\n- route: `https://nvd.nist.gov/vuln`\n- payload SHA-256: `174c0431cd676c8fe0df96c362bfe4e7c2d0d73b486411ad39da49cd03b6073c`\n\n# CVE-2018-19360: executable affected-version evidence for NVD\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2018-19360`\n- route URL: `https://nvd.nist.gov/vuln`\n- targets: `NVD`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `NVD` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2018-19360__NVD.md` | `20595e055968d39065c456d63d5d502d243d1753b5648c2e009a09d4ec9c465b` |\n\n## Reproduction\n\n```sh\nmake cve-2018-19360\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: NVD / claim-source\n\n- target-specific body SHA-256: `20595e055968d39065c456d63d5d502d243d1753b5648c2e009a09d4ec9c465b`\n- target-specific report: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2018-19360`\n- bitstring: `1111101010`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `2`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc1`\n  - version: `2.7.0-rc1`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc2`\n  - version: `2.7.0-rc2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc3`\n  - version: `2.7.0-rc3`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2019-10219 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `72a79b62a61b2d0424460a5ee2a222650a0ed48fae1b859fcad1af61ff5b703f`\n\n# CVE-2019-10219: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2019-10219`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `6`\n- source-disagreement versions: `7`\n- report paths: `external_validation_reports/CVE-2019-10219_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2019-10219__GHSA.md` | `9d0c749fe586c86095bd1bd83e828eca5b71d7c160843ad653fad8e28d645090` |\n\n## Reproduction\n\n```sh\nmake cve-2019-10219\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `9d0c749fe586c86095bd1bd83e828eca5b71d7c160843ad653fad8e28d645090`\n- target-specific report: `external_validation_reports/CVE-2019-10219_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2019-10219`\n- bitstring: `011111111001100`\n- minimum interval cover: `2`\n- V-S-V witnesses: `1`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `2`\n## Projection-Loss Coordinates\n\n- `org.hibernate:hibernate-validator:5.1.3.Final`\n  - version: `5.1.3.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.2.5.Final`\n  - version: `5.2.5.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.3.6.Final`\n  - version: `5.3.6.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.4.2.Final`\n  - version: `5.4.2.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.4.3.Final`\n  - version: `5.4.3.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate.validator:hibernate-validator:6.1.0.Alpha6`\n  - version: `6.1.0.Alpha6`\n  - claim projection decisions: `GHSA:fixed`\n  - excluding sources: `GHSA`\n  - detail: GHSA: version equals GHSA first_patched_version\n## Source Disagreements\n\n- versions with source disagreement: `4.3.2.Final, 5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6`\n\n### CVE-2020-24616 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `5f870288db037a32053feb076e5744ba384991db9a10aa8ec0a56f03b17e0aee`\n\n# CVE-2020-24616: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2020-24616`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2020-24616__GHSA.md` | `ccb663cab76d7ace2261a5a03691f902a2410c6cc13666fc56859371ea854cc4` |\n\n## Reproduction\n\n```sh\nmake cve-2020-24616\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `ccb663cab76d7ace2261a5a03691f902a2410c6cc13666fc56859371ea854cc4`\n- target-specific report: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2020-24616`\n- bitstring: `10110110`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.10.0`\n  - version: `2.10.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.10.5`\n  - version: `2.10.5`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.0`\n  - version: `2.11.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.2`\n  - version: `2.11.2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2020-24616 / NVD\n\n- route: `https://nvd.nist.gov/vuln`\n- payload SHA-256: `9101ea70bf77bbca5ac9128afeef2d86cfd5cabbe894846dc1d11a0ba6937843`\n\n# CVE-2020-24616: executable affected-version evidence for NVD\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2020-24616`\n- route URL: `https://nvd.nist.gov/vuln`\n- targets: `NVD`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `NVD` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2020-24616__NVD.md` | `84164e37953507501f9c9996e9abec7d0a84e757cc3f385e7ab1e9c75befa465` |\n\n## Reproduction\n\n```sh\nmake cve-2020-24616\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: NVD / claim-source\n\n- target-specific body SHA-256: `84164e37953507501f9c9996e9abec7d0a84e757cc3f385e7ab1e9c75befa465`\n- target-specific report: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2020-24616`\n- bitstring: `10110110`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.10.0`\n  - version: `2.10.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.10.5`\n  - version: `2.10.5`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.0`\n  - version: `2.11.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.2`\n  - version: `2.11.2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2024-22257 / NVD\n\n- route: `https://nvd.nist.gov/vuln`\n- payload SHA-256: `d22323305a6e20b05fa22a78f90be1eb3fa1e6a26c46e4a735492fabcadcddf9`\n\n# CVE-2024-22257: executable affected-version evidence for NVD\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2024-22257`\n- route URL: `https://nvd.nist.gov/vuln`\n- targets: `NVD`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `8`\n- report paths: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `NVD` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2024-22257__NVD.md` | `7e8251bd847fae2084d77a34174d311bfc6a08d98eda6108a902d773e1f0931c` |\n\n## Reproduction\n\n```sh\nmake cve-2024-22257\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: NVD / claim-source\n\n- target-specific body SHA-256: `7e8251bd847fae2084d77a34174d311bfc6a08d98eda6108a902d773e1f0931c`\n- target-specific report: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2024-22257`\n- bitstring: `111110101010`\n- minimum interval cover: `4`\n- V-S-V witnesses: `3`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `3`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `org.springframework.security:spring-security-core:2.0.8.RELEASE`\n  - version: `2.0.8.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:3.0.0.RELEASE`\n  - version: `3.0.0.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:4.2.20.RELEASE`\n  - version: `4.2.20.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:5.6.12`\n  - version: `5.6.12`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n## Source Disagreements\n\n- versions with source disagreement: `2.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2`\n\n### CVE-2024-22257 / CVE\n\n- route: `https://www.cve.org/ResourcesSupport/ReportRequest`\n- payload SHA-256: `2303f71a4c64a251d0029bf3203781a7ba3b9cc571440df744f6add4eda1add4`\n\n# CVE-2024-22257: executable affected-version evidence for CVE\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2024-22257`\n- route URL: `https://www.cve.org/ResourcesSupport/ReportRequest`\n- targets: `CVE`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `8`\n- report paths: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `CVE` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2024-22257__CVE.md` | `74ab80e11cc1ddb0019f9289a3766608e93b8386b5fb1d9eeeb84a72ac7d7d3b` |\n\n## Reproduction\n\n```sh\nmake cve-2024-22257\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: CVE / claim-source\n\n- target-specific body SHA-256: `74ab80e11cc1ddb0019f9289a3766608e93b8386b5fb1d9eeeb84a72ac7d7d3b`\n- target-specific report: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2024-22257`\n- bitstring: `111110101010`\n- minimum interval cover: `4`\n- V-S-V witnesses: `3`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `3`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `org.springframework.security:spring-security-core:2.0.8.RELEASE`\n  - version: `2.0.8.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:3.0.0.RELEASE`\n  - version: `3.0.0.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:4.2.20.RELEASE`\n  - version: `4.2.20.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:5.6.12`\n  - version: `5.6.12`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n## Source Disagreements\n\n- versions with source disagreement: `2.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2`\n\n### CVE-2026-40180 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `6d68b018881317fed2214dd04460a6948f601135e1eed9cfc72702569541e307`\n\n# CVE-2026-40180: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2026-40180`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P1`\n- grouped queue rows: `1`\n- P0 rows in group: `0`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P1` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2026-40180__GHSA.md` | `0809d436d6857494ed902d860f91d896d0944b12f59eb201555610d6bbdc08ea` |\n\n## Reproduction\n\n```sh\nmake cve-2026-40180\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `0809d436d6857494ed902d860f91d896d0944b12f59eb201555610d6bbdc08ea`\n- target-specific report: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2026-40180`\n- bitstring: `11100000`\n- minimum interval cover: `1`\n- V-S-V witnesses: `0`\n- zero-error single intervals: `1`\n- full-recall false-positive lower bound: `0`\n- zero-false-positive false-negative lower bound: `0`\n## Projection-Loss Coordinates\n\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0`\n  - version: `2.14.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0-lts`\n  - version: `2.14.0-lts`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.15.0`\n  - version: `2.15.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2026-40180 / OSV\n\n- route: `https://github.com/google/osv.dev`\n- payload SHA-256: `ca791acfd0f6483a434acbf80df1f62c536fb5bb1210176f833a3c5dfd3a91d6`\n\n# CVE-2026-40180: executable affected-version evidence for OSV\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2026-40180`\n- route URL: `https://github.com/google/osv.dev`\n- targets: `OSV`\n- route kinds: `claim-source`\n- priority: `P1`\n- grouped queue rows: `1`\n- P0 rows in group: `0`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `OSV` | `claim-source` | `P1` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2026-40180__OSV.md` | `5e54d610c96742a60ae45d1d3cfaf22f81c05d5cd41495149e208ff4c0a02d4e` |\n\n## Reproduction\n\n```sh\nmake cve-2026-40180\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: OSV / claim-source\n\n- target-specific body SHA-256: `5e54d610c96742a60ae45d1d3cfaf22f81c05d5cd41495149e208ff4c0a02d4e`\n- target-specific report: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2026-40180`\n- bitstring: `11100000`\n- minimum interval cover: `1`\n- V-S-V witnesses: `0`\n- zero-error single intervals: `1`\n- full-recall false-positive lower bound: `0`\n- zero-false-positive false-negative lower bound: `0`\n## Projection-Loss Coordinates\n\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0`\n  - version: `2.14.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0-lts`\n  - version: `2.14.0-lts`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.15.0`\n  - version: `2.15.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n## Source Disagreements\n\n- none recorded for this case\n", "creation_timestamp": "2026-06-30T03:22:28.371002Z"}]}