{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:b51984d7-3aa7-552c-a6eb-e1b70556d051", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4", "type": "library", "group": "org.apache.tomcat", "name": "tomcat-ssi", "version": "10.1.42-tuxcare.4", "purl": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:dd8ea5b3-97f7-515a-b52a-518839082d36", "id": "CVE-2024-23672", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-23672 does not affect version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi. Tomcat 10.1.42 is not vulnerable because CVE-2024-23672 is fixed in 10.1.19 and affects only 10.1.0-M1 through 10.1.18, and 10.1.42 is later than 10.1.19." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:844d5754-52e0-5183-80a2-d2dff8ae2e2e", "id": "CVE-2024-24549", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-24549 does not affect version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi. 10.1.42 is not vulnerable. The issue is fixed in 10.1.19, and 10.1.42 is later than 10.1.19, so this version already includes the fix." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:764c6227-ce82-59e8-b0f2-60df724e4ceb", "id": "CVE-2024-52316", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-52316 does not affect version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi. already_fixed \u2014 CVE-2024-52316 affects Apache Tomcat versions 10.1.0-M1 through 10.1.30. The target repository is version 10.1.42, which is newer than the first fixed version (10.1.31) in the upstream Apache Tomcat 10.1.x series. The fix is present in the current code at AuthenticatorBase.java lines 804-808, where exceptions from Jakarta Authentication validateRequest() are caught and explicitly set HTTP status 500 to ensure authentication failures are properly handled." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b6b75077-1e09-58fa-9d5b-b6c18e785b6e", "id": "CVE-2025-48988", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2025-48988 does not affect version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi. 10.1.42 is the first fixed release in 10.1.x. The fix is already included in 10.1.42." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d8e75d2f-de63-5138-8d61-9bed8876bba1", "id": "CVE-2025-48989", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-48989 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0128efd6-21e6-5513-bfa5-d610041b85bd", "id": "CVE-2025-49125", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2025-49125 does not affect version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi. 10.1.42 is the first fixed release in 10.1.x. The fix is already included in 10.1.42." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b21c63ff-edef-5f0b-99a1-6260d8a64190", "id": "CVE-2025-52520", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-52520 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1a50b8e9-4ca6-55b8-8957-67da869c6d9b", "id": "CVE-2025-53506", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-53506 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:30828033-0696-53ae-8755-cc895ab102ef", "id": "CVE-2025-55752", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-55752 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:15ab83a3-ffdd-5c45-a46a-c2288186a178", "id": "CVE-2025-55754", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-55754 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cb696b74-75ee-50bf-9d70-f056a5b9dc38", "id": "CVE-2025-61795", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-61795 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:72e37cc7-b379-595b-beaf-c3322d78fb83", "id": "CVE-2025-66614", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66614 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:568ee83a-7b21-596c-b477-d50436c795b3", "id": "CVE-2026-24733", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-24733 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ff197258-5a46-5ff3-9055-79bfd1edea58", "id": "CVE-2026-24734", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-24734 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:166b8c84-5304-56f4-9c01-c62dc1576f5f", "id": "CVE-2026-24880", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-24880 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:912a9bea-19e9-59a5-b141-2ba14621a9c1", "id": "CVE-2026-25854", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-25854 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:058d4886-5ca8-533b-8e3c-c69b7a9606a5", "id": "CVE-2026-29145", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-29145 does not affect version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi. Fix already present in target (patches already applied) (AIMAGIC-1135 triage; audited)." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4682bd90-d4d9-526f-9f35-d232bf593040", "id": "CVE-2026-29146", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-29146 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:80811736-86a4-50e8-95da-d62810bd9189", "id": "CVE-2026-32990", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32990 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:40916946-26cc-5ad3-bb9a-46a6b3a4c2b3", "id": "CVE-2026-34483", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-34483 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6901c1b2-9ce2-5aa2-9903-c36ea62cf5b5", "id": "CVE-2026-34486", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-34486 does not affect version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi. not_affected \u2014 Target repository Tomcat 10.1.42-tuxcare.4 is NOT affected by CVE-2026-34486. The CVE explicitly states that versions without the CVE-2026-29145 fix are not affected. Analysis confirms the CVE-2026-29145 fix was reverted from this repository, and the target version (10.1.42) predates the affected version range (10.1.53+)." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:acb31455-13d9-5480-a4d4-e1e06c9c84bb", "id": "CVE-2026-34487", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-34487 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e6bf4464-2369-5112-9c88-25b37d509c8c", "id": "CVE-2026-34500", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34500 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dbac4559-cfec-59a1-986c-1ab8c186dceb", "id": "CVE-2026-41284", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41284 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d82d1d58-7760-534e-9437-6688bc6c5302", "id": "CVE-2026-41293", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41293 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c245a0b6-1189-57bf-9462-737e121aacb7", "id": "CVE-2026-42498", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42498 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:27a0a88c-72d3-5d06-87e8-495791762eb7", "id": "CVE-2026-43512", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-43512 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0ddc6fd5-00e1-5eeb-9d81-651b2a4ceb18", "id": "CVE-2026-43513", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-43513 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:56b37b3f-a885-54be-b0b3-7fbe04845cd1", "id": "CVE-2026-43514", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-43514 affects version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0ada13f9-dcdb-527e-a3fc-a0e419074927", "id": "CVE-2026-43515", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-43515 is fixed in version 10.1.42-tuxcare.4 of org.apache.tomcat:tomcat-ssi." }, "affects": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.apache.tomcat/tomcat-ssi@10.1.42-tuxcare.4" } ] }