CVE-2018-19360: executable affected-version certificate for GHSA

[hypergalois]

CVE-2018-19360: executable affected-version certificate for GHSA

Requested Check

Please review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.

Grouped Route

• candidate: CVE-2018-19360
• route URL: https://github.com/github/advisory-database
• targets: GHSA
• route kinds: claim-source
• priority: P0
• grouped queue rows: 1
• P0 rows in group: 1

Evidence Summary

• projection-loss versions: 3
• source-disagreement versions: 0
• report paths: external_validation_reports/CVE-2018-19360_external_validation_report.md

Target-Specific Packets

Target	Route kind	Priority	Reason	Body	SHA-256
GHSA	claim-source	P0	claim-source projection excludes witness-vulnerable versions	external_validation_submissions/CVE-2018-19360__GHSA.md	7e442e4f016bec5701d06bb184eb47cd1379d288ef80d23e6b4cb74d35af2ba8

Reproduction

make cve-2018-19360
make interval-certificates topology-theorem order-sensitivity version-dags
make case-certificates verify-certificates validate-artifact

Evidence Details

Only the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.

Packet: GHSA / claim-source

• target-specific body SHA-256: 7e442e4f016bec5701d06bb184eb47cd1379d288ef80d23e6b4cb74d35af2ba8
• target-specific report: external_validation_reports/CVE-2018-19360_external_validation_report.md

Executable Certificate

• candidate: CVE-2018-19360
• bitstring: 1111101010
• minimum interval cover: 3
• V-S-V witnesses: 2
• zero-error single intervals: 0
• full-recall false-positive lower bound: 2
• zero-false-positive false-negative lower bound: 2

Projection-Loss Coordinates

• com.fasterxml.jackson.core:jackson-databind:2.7.0-rc1
  • version: 2.7.0-rc1
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches
• com.fasterxml.jackson.core:jackson-databind:2.7.0-rc2
  • version: 2.7.0-rc2
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches
• com.fasterxml.jackson.core:jackson-databind:2.7.0-rc3
  • version: 2.7.0-rc3
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches

Source Disagreements

• none recorded for this case

Public Evidence Bundle

• URL: https://gist.github.com/hypergalois/e7077b83b2dbb66313dd9cc387d14c0c
• SHA-256: 66c88a27a195f6fac936b4a836147d05a884c708bc2d76f9c663d8963ba4c8d4