{"vulnerability": "CVE-2019-1021", "sightings": [{"uuid": "1e9e5333-43cf-4d6e-9ea5-f315dcf4fc31", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-10216", "type": "seen", "source": "https://t.me/ctinow/195694", "content": "https://ift.tt/DAaExHd\nCVE-2019-10216 | Ghostscript PostScript File incorrect privileged apis", "creation_timestamp": "2024-02-28T17:47:10.000000Z"}, {"uuid": "f70ff739-244e-44b7-b2a2-de753fd6b78e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-10213", "type": "seen", "source": "https://t.me/ctinow/194119", "content": "https://ift.tt/WapV2Jz\nCVE-2019-10213 | Openshift Container Platform 4.1/4.2 Debug Log neutralization for logs (RHSA-2019:4082)", "creation_timestamp": "2024-02-27T08:46:44.000000Z"}, {"uuid": "f41ff00f-2ea8-4cc3-a296-7271493909d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-10214", "type": "seen", "source": "https://t.me/ctinow/193637", "content": "https://ift.tt/lziJWpd\nCVE-2019-10214 | Red Hat Enterprise Linux 8 Image Library insufficiently protected credentials", "creation_timestamp": "2024-02-26T18:46:57.000000Z"}, {"uuid": "0b43728f-0848-4025-9089-a151f3b65826", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-10219", "type": "seen", "source": "https://t.me/ctinow/182704", "content": "https://ift.tt/NDgQsPO\nCVE-2019-10219 | Hibernate-Validator SafeHtml Validator Comment cross site scripting (RHSA-2020:0159)", "creation_timestamp": "2024-02-11T07:56:42.000000Z"}, {"uuid": "6ef0ae5a-4d66-490c-b929-66abaf356430", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-10218", "type": "seen", "source": "https://t.me/ctinow/179042", "content": "https://ift.tt/IKZH4BA\nCVE-2019-10218 | Samba up to 4.9.14/4.10.9/4.11.1 Client path traversal (SA_19_35)", "creation_timestamp": "2024-02-05T08:41:30.000000Z"}, {"uuid": "a4f2c1bc-c6eb-4f29-8df0-0dfc53b8f22d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-10211", "type": "seen", "source": "https://t.me/ctinow/175335", "content": "https://ift.tt/P1OqgoL\nCVE-2019-10211 | PostgreSQL up to 9.4.23/9.5.18/9.6.14/10.9/11.4 on Windows Installer input validation", "creation_timestamp": "2024-01-29T15:41:09.000000Z"}, {"uuid": "c718418f-1116-4243-939a-982b9c95831d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-10210", "type": "seen", "source": "https://t.me/ctinow/175299", "content": "https://ift.tt/89vpVot\nCVE-2019-10210 | PostgreSQL up to 9.4.23/9.5.18/9.6.14/10.9/11.4 on Windows Installer input validation", "creation_timestamp": "2024-01-29T15:11:36.000000Z"}, {"uuid": "deb0e13a-fb73-4d10-976d-761acde180c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-10212", "type": "seen", "source": "https://t.me/cibsecurity/7166", "content": "ATENTION\u203c New - CVE-2019-10212\n\nA flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2019-10-02T22:35:13.000000Z"}, {"uuid": "91811c2e-d477-4b70-bba3-398fffbd782d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-10219", "type": "seen", "source": "https://gist.github.com/hypergalois/e7077b83b2dbb66313dd9cc387d14c0c", "content": "# Affected-Version External Validation Bundle\n\nThis is the current advisory-owner publication packet.\n\n## Summary\n\n- source queue rows: `33`\n- publication-eligible queue rows: `9`\n- non-publication queue rows retained internally: `24`\n- publication units: `9`\n- GitHub issue units: `5`\n- manual route units: `4`\n- zip SHA-256: `d418fc3b820414447687442551c613c78fec5ef080c3fa9440c354b0957faedd`\n\n## Publication Units\n\n| Candidate | Target | Route | Priority |\n|---|---|---|---|\n| `CVE-2018-19360` | `GHSA` | `https://github.com/github/advisory-database` | `P0` |\n| `CVE-2018-19360` | `NVD` | `https://nvd.nist.gov/vuln` | `P0` |\n| `CVE-2019-10219` | `GHSA` | `https://github.com/github/advisory-database` | `P0` |\n| `CVE-2020-24616` | `GHSA` | `https://github.com/github/advisory-database` | `P0` |\n| `CVE-2020-24616` | `NVD` | `https://nvd.nist.gov/vuln` | `P0` |\n| `CVE-2024-22257` | `NVD` | `https://nvd.nist.gov/vuln` | `P0` |\n| `CVE-2024-22257` | `CVE` | `https://www.cve.org/ResourcesSupport/ReportRequest` | `P0` |\n| `CVE-2026-40180` | `GHSA` | `https://github.com/github/advisory-database` | `P1` |\n| `CVE-2026-40180` | `OSV` | `https://github.com/google/osv.dev` | `P1` |\n\n## Payloads\n\n### CVE-2018-19360 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `8272a04cb4c4fe332d317d5cba26f51a5d9a7aa38b7525e8a8c4b706e743a007`\n\n# CVE-2018-19360: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2018-19360`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2018-19360__GHSA.md` | `7e442e4f016bec5701d06bb184eb47cd1379d288ef80d23e6b4cb74d35af2ba8` |\n\n## Reproduction\n\n```sh\nmake cve-2018-19360\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `7e442e4f016bec5701d06bb184eb47cd1379d288ef80d23e6b4cb74d35af2ba8`\n- target-specific report: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2018-19360`\n- bitstring: `1111101010`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `2`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc1`\n  - version: `2.7.0-rc1`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc2`\n  - version: `2.7.0-rc2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc3`\n  - version: `2.7.0-rc3`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2018-19360 / NVD\n\n- route: `https://nvd.nist.gov/vuln`\n- payload SHA-256: `174c0431cd676c8fe0df96c362bfe4e7c2d0d73b486411ad39da49cd03b6073c`\n\n# CVE-2018-19360: executable affected-version evidence for NVD\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2018-19360`\n- route URL: `https://nvd.nist.gov/vuln`\n- targets: `NVD`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `NVD` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2018-19360__NVD.md` | `20595e055968d39065c456d63d5d502d243d1753b5648c2e009a09d4ec9c465b` |\n\n## Reproduction\n\n```sh\nmake cve-2018-19360\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: NVD / claim-source\n\n- target-specific body SHA-256: `20595e055968d39065c456d63d5d502d243d1753b5648c2e009a09d4ec9c465b`\n- target-specific report: `external_validation_reports/CVE-2018-19360_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2018-19360`\n- bitstring: `1111101010`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `2`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc1`\n  - version: `2.7.0-rc1`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc2`\n  - version: `2.7.0-rc2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.7.0-rc3`\n  - version: `2.7.0-rc3`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2019-10219 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `72a79b62a61b2d0424460a5ee2a222650a0ed48fae1b859fcad1af61ff5b703f`\n\n# CVE-2019-10219: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2019-10219`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `6`\n- source-disagreement versions: `7`\n- report paths: `external_validation_reports/CVE-2019-10219_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2019-10219__GHSA.md` | `9d0c749fe586c86095bd1bd83e828eca5b71d7c160843ad653fad8e28d645090` |\n\n## Reproduction\n\n```sh\nmake cve-2019-10219\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `9d0c749fe586c86095bd1bd83e828eca5b71d7c160843ad653fad8e28d645090`\n- target-specific report: `external_validation_reports/CVE-2019-10219_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2019-10219`\n- bitstring: `011111111001100`\n- minimum interval cover: `2`\n- V-S-V witnesses: `1`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `2`\n## Projection-Loss Coordinates\n\n- `org.hibernate:hibernate-validator:5.1.3.Final`\n  - version: `5.1.3.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.2.5.Final`\n  - version: `5.2.5.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.3.6.Final`\n  - version: `5.3.6.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.4.2.Final`\n  - version: `5.4.2.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate:hibernate-validator:5.4.3.Final`\n  - version: `5.4.3.Final`\n  - claim projection decisions: `GHSA:namespace_missing`\n  - excluding sources: `GHSA`\n  - detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate\n- `org.hibernate.validator:hibernate-validator:6.1.0.Alpha6`\n  - version: `6.1.0.Alpha6`\n  - claim projection decisions: `GHSA:fixed`\n  - excluding sources: `GHSA`\n  - detail: GHSA: version equals GHSA first_patched_version\n## Source Disagreements\n\n- versions with source disagreement: `4.3.2.Final, 5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6`\n\n### CVE-2020-24616 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `5f870288db037a32053feb076e5744ba384991db9a10aa8ec0a56f03b17e0aee`\n\n# CVE-2020-24616: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2020-24616`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2020-24616__GHSA.md` | `ccb663cab76d7ace2261a5a03691f902a2410c6cc13666fc56859371ea854cc4` |\n\n## Reproduction\n\n```sh\nmake cve-2020-24616\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `ccb663cab76d7ace2261a5a03691f902a2410c6cc13666fc56859371ea854cc4`\n- target-specific report: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2020-24616`\n- bitstring: `10110110`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.10.0`\n  - version: `2.10.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.10.5`\n  - version: `2.10.5`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.0`\n  - version: `2.11.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.2`\n  - version: `2.11.2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2020-24616 / NVD\n\n- route: `https://nvd.nist.gov/vuln`\n- payload SHA-256: `9101ea70bf77bbca5ac9128afeef2d86cfd5cabbe894846dc1d11a0ba6937843`\n\n# CVE-2020-24616: executable affected-version evidence for NVD\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2020-24616`\n- route URL: `https://nvd.nist.gov/vuln`\n- targets: `NVD`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `NVD` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2020-24616__NVD.md` | `84164e37953507501f9c9996e9abec7d0a84e757cc3f385e7ab1e9c75befa465` |\n\n## Reproduction\n\n```sh\nmake cve-2020-24616\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: NVD / claim-source\n\n- target-specific body SHA-256: `84164e37953507501f9c9996e9abec7d0a84e757cc3f385e7ab1e9c75befa465`\n- target-specific report: `external_validation_reports/CVE-2020-24616_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2020-24616`\n- bitstring: `10110110`\n- minimum interval cover: `3`\n- V-S-V witnesses: `2`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `2`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `com.fasterxml.jackson.core:jackson-databind:2.10.0`\n  - version: `2.10.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.10.5`\n  - version: `2.10.5`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.0`\n  - version: `2.11.0`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n- `com.fasterxml.jackson.core:jackson-databind:2.11.2`\n  - version: `2.11.2`\n  - claim projection decisions: `GHSA:range_excluded;NVD:range_excluded`\n  - excluding sources: `GHSA;NVD`\n  - detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2024-22257 / NVD\n\n- route: `https://nvd.nist.gov/vuln`\n- payload SHA-256: `d22323305a6e20b05fa22a78f90be1eb3fa1e6a26c46e4a735492fabcadcddf9`\n\n# CVE-2024-22257: executable affected-version evidence for NVD\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2024-22257`\n- route URL: `https://nvd.nist.gov/vuln`\n- targets: `NVD`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `8`\n- report paths: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `NVD` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2024-22257__NVD.md` | `7e8251bd847fae2084d77a34174d311bfc6a08d98eda6108a902d773e1f0931c` |\n\n## Reproduction\n\n```sh\nmake cve-2024-22257\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: NVD / claim-source\n\n- target-specific body SHA-256: `7e8251bd847fae2084d77a34174d311bfc6a08d98eda6108a902d773e1f0931c`\n- target-specific report: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2024-22257`\n- bitstring: `111110101010`\n- minimum interval cover: `4`\n- V-S-V witnesses: `3`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `3`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `org.springframework.security:spring-security-core:2.0.8.RELEASE`\n  - version: `2.0.8.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:3.0.0.RELEASE`\n  - version: `3.0.0.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:4.2.20.RELEASE`\n  - version: `4.2.20.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:5.6.12`\n  - version: `5.6.12`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n## Source Disagreements\n\n- versions with source disagreement: `2.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2`\n\n### CVE-2024-22257 / CVE\n\n- route: `https://www.cve.org/ResourcesSupport/ReportRequest`\n- payload SHA-256: `2303f71a4c64a251d0029bf3203781a7ba3b9cc571440df744f6add4eda1add4`\n\n# CVE-2024-22257: executable affected-version evidence for CVE\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2024-22257`\n- route URL: `https://www.cve.org/ResourcesSupport/ReportRequest`\n- targets: `CVE`\n- route kinds: `claim-source`\n- priority: `P0`\n- grouped queue rows: `1`\n- P0 rows in group: `1`\n\n## Evidence Summary\n\n- projection-loss versions: `4`\n- source-disagreement versions: `8`\n- report paths: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `CVE` | `claim-source` | `P0` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2024-22257__CVE.md` | `74ab80e11cc1ddb0019f9289a3766608e93b8386b5fb1d9eeeb84a72ac7d7d3b` |\n\n## Reproduction\n\n```sh\nmake cve-2024-22257\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: CVE / claim-source\n\n- target-specific body SHA-256: `74ab80e11cc1ddb0019f9289a3766608e93b8386b5fb1d9eeeb84a72ac7d7d3b`\n- target-specific report: `external_validation_reports/CVE-2024-22257_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2024-22257`\n- bitstring: `111110101010`\n- minimum interval cover: `4`\n- V-S-V witnesses: `3`\n- zero-error single intervals: `0`\n- full-recall false-positive lower bound: `3`\n- zero-false-positive false-negative lower bound: `3`\n## Projection-Loss Coordinates\n\n- `org.springframework.security:spring-security-core:2.0.8.RELEASE`\n  - version: `2.0.8.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:3.0.0.RELEASE`\n  - version: `3.0.0.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:4.2.20.RELEASE`\n  - version: `4.2.20.RELEASE`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n- `org.springframework.security:spring-security-core:5.6.12`\n  - version: `5.6.12`\n  - claim projection decisions: `CVE:namespace_missing;NVD:package_excluded`\n  - excluding sources: `CVE;NVD`\n  - detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product\n## Source Disagreements\n\n- versions with source disagreement: `2.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2`\n\n### CVE-2026-40180 / GHSA\n\n- route: `https://github.com/github/advisory-database`\n- payload SHA-256: `6d68b018881317fed2214dd04460a6948f601135e1eed9cfc72702569541e307`\n\n# CVE-2026-40180: executable affected-version evidence for GHSA\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2026-40180`\n- route URL: `https://github.com/github/advisory-database`\n- targets: `GHSA`\n- route kinds: `claim-source`\n- priority: `P1`\n- grouped queue rows: `1`\n- P0 rows in group: `0`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `GHSA` | `claim-source` | `P1` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2026-40180__GHSA.md` | `0809d436d6857494ed902d860f91d896d0944b12f59eb201555610d6bbdc08ea` |\n\n## Reproduction\n\n```sh\nmake cve-2026-40180\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: GHSA / claim-source\n\n- target-specific body SHA-256: `0809d436d6857494ed902d860f91d896d0944b12f59eb201555610d6bbdc08ea`\n- target-specific report: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2026-40180`\n- bitstring: `11100000`\n- minimum interval cover: `1`\n- V-S-V witnesses: `0`\n- zero-error single intervals: `1`\n- full-recall false-positive lower bound: `0`\n- zero-false-positive false-negative lower bound: `0`\n## Projection-Loss Coordinates\n\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0`\n  - version: `2.14.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0-lts`\n  - version: `2.14.0-lts`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.15.0`\n  - version: `2.15.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n## Source Disagreements\n\n- none recorded for this case\n\n### CVE-2026-40180 / OSV\n\n- route: `https://github.com/google/osv.dev`\n- payload SHA-256: `ca791acfd0f6483a434acbf80df1f62c536fb5bb1210176f833a3c5dfd3a91d6`\n\n# CVE-2026-40180: executable affected-version evidence for OSV\n\n## Requested Check\n\nPlease review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.\n\n## Grouped Route\n\n- candidate: `CVE-2026-40180`\n- route URL: `https://github.com/google/osv.dev`\n- targets: `OSV`\n- route kinds: `claim-source`\n- priority: `P1`\n- grouped queue rows: `1`\n- P0 rows in group: `0`\n\n## Evidence Summary\n\n- projection-loss versions: `3`\n- source-disagreement versions: `0`\n- report paths: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Target-Specific Packets\n\n| Target | Route kind | Priority | Reason | Body | SHA-256 |\n|---|---|---|---|---|---|\n| `OSV` | `claim-source` | `P1` | claim-source projection excludes witness-vulnerable versions | `external_validation_submissions/CVE-2026-40180__OSV.md` | `5e54d610c96742a60ae45d1d3cfaf22f81c05d5cd41495149e208ff4c0a02d4e` |\n\n## Reproduction\n\n```sh\nmake cve-2026-40180\nmake interval-certificates topology-theorem order-sensitivity version-dags\nmake case-certificates verify-certificates validate-artifact\n```\n\n## Evidence Details\n\nOnly the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.\n\n### Packet: OSV / claim-source\n\n- target-specific body SHA-256: `5e54d610c96742a60ae45d1d3cfaf22f81c05d5cd41495149e208ff4c0a02d4e`\n- target-specific report: `external_validation_reports/CVE-2026-40180_external_validation_report.md`\n\n## Executable Certificate\n\n- candidate: `CVE-2026-40180`\n- bitstring: `11100000`\n- minimum interval cover: `1`\n- V-S-V witnesses: `0`\n- zero-error single intervals: `1`\n- full-recall false-positive lower bound: `0`\n- zero-false-positive false-negative lower bound: `0`\n## Projection-Loss Coordinates\n\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0`\n  - version: `2.14.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0-lts`\n  - version: `2.14.0-lts`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n- `io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.15.0`\n  - version: `2.15.0`\n  - claim projection decisions: `OSV:package_excluded;GHSA:package_excluded`\n  - excluding sources: `OSV;GHSA`\n  - detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate\n## Source Disagreements\n\n- none recorded for this case\n", "creation_timestamp": "2026-06-30T03:22:28.155513Z"}]}