CVE-2020-24616: executable affected-version certificate for GHSA

[hypergalois]

CVE-2020-24616: executable affected-version certificate for GHSA

Requested Check

Please review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.

Grouped Route

• candidate: CVE-2020-24616
• route URL: https://github.com/github/advisory-database
• targets: GHSA
• route kinds: claim-source
• priority: P0
• grouped queue rows: 1
• P0 rows in group: 1

Evidence Summary

• projection-loss versions: 4
• source-disagreement versions: 0
• report paths: external_validation_reports/CVE-2020-24616_external_validation_report.md

Target-Specific Packets

Target	Route kind	Priority	Reason	Body	SHA-256
GHSA	claim-source	P0	claim-source projection excludes witness-vulnerable versions	external_validation_submissions/CVE-2020-24616__GHSA.md	ccb663cab76d7ace2261a5a03691f902a2410c6cc13666fc56859371ea854cc4

Reproduction

make cve-2020-24616
make interval-certificates topology-theorem order-sensitivity version-dags
make case-certificates verify-certificates validate-artifact

Evidence Details

Only the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.

Packet: GHSA / claim-source

• target-specific body SHA-256: ccb663cab76d7ace2261a5a03691f902a2410c6cc13666fc56859371ea854cc4
• target-specific report: external_validation_reports/CVE-2020-24616_external_validation_report.md

Executable Certificate

• candidate: CVE-2020-24616
• bitstring: 10110110
• minimum interval cover: 3
• V-S-V witnesses: 2
• zero-error single intervals: 0
• full-recall false-positive lower bound: 2
• zero-false-positive false-negative lower bound: 3

Projection-Loss Coordinates

• com.fasterxml.jackson.core:jackson-databind:2.10.0
  • version: 2.10.0
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches
• com.fasterxml.jackson.core:jackson-databind:2.10.5
  • version: 2.10.5
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches
• com.fasterxml.jackson.core:jackson-databind:2.11.0
  • version: 2.11.0
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches
• com.fasterxml.jackson.core:jackson-databind:2.11.2
  • version: 2.11.2
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches

Source Disagreements

• none recorded for this case

Public Evidence Bundle

• URL: https://gist.github.com/hypergalois/e7077b83b2dbb66313dd9cc387d14c0c
• SHA-256: 66c88a27a195f6fac936b4a836147d05a884c708bc2d76f9c663d8963ba4c8d4