{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:6df402e9-b33a-564f-a535-e6068a8bd2b2", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-aop", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:de0ed289-bfb5-564b-9cf8-4f03906ea7bb", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dd38d7f0-6231-5486-9f2f-2a4a786fef1e", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:335c6ab0-8144-54bb-924c-f5553e060541", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5b420281-d1fe-517d-8628-55bbbcec7976", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f0bbf650-c038-5e45-8837-1d3662b65ddc", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c2a0228b-fca9-5bfa-af5d-c272bfcbfe57", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0dea77f9-7d66-5842-90e2-361f3470cdff", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:26ceefbf-3c18-5dfe-931f-1b15dcec62bd", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6f13d387-cd0f-5853-97bb-a7bafe752f25", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2a645c12-162d-556f-8f5e-f243bbd8dfe5", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:37a7ad87-ae08-532d-9c5a-4e2d4052f52c", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:42b84201-98e7-5890-8f6e-9cd8ffc5a3fd", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5c05fdbf-c0c4-581a-80c9-7ec58ffa22bc", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1a9d9f39-7700-5fef-98f4-4789a0c8cfbd", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:811c25a1-7785-52f5-92d9-9cd68e42ec44", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cc251bd1-26dc-5ea6-82bf-c008150082a0", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:157903eb-d945-53b6-84b4-5f14d517d528", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fffe3a5c-316e-5089-bb52-51f96a2a2653", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8b6b93e0-e469-51dd-aaf7-2b095f162bbf", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:186c2246-0956-5b0b-ab17-a52e5f4758ea", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:605d4b70-16b1-54fc-b0e8-67ad5d9323b1", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c42172a1-98de-5124-a45d-6a496e10ce77", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b7fce9c7-2214-56e0-8d1a-86bdf573bfd4", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f999e9c6-20bb-56fd-acc1-a4613ea082de", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ca72ba1e-5be1-5c29-bfc0-a57345ba2609", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:206866c0-81d4-5782-b504-51f29d5af5dd", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ea7e1b9b-2476-5489-a237-8cf7f97b1f67", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3afe36f2-f009-5d07-9fab-72eaa0b41e24", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a51971fd-2c5c-577a-b1c2-26dc2311e16f", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:aa2e3167-0688-5194-a2b7-eb181dcc14a5", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:72bbab1b-f14c-5499-be3c-18170ee8551a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b6b65780-5e49-5a15-8d39-9ea594f89f25", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bdab6e35-de7e-56da-8a00-968b296d253f", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bf767fd3-7c49-5baf-ae79-e406e37d1d22", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:48daef83-82c6-5c9c-8452-9dc02dbe565d", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:77bb8433-9a87-5279-ad8d-6ba3f22e296f", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:375ad0aa-d67f-5c1b-8afa-e4be49d1aa3f", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0248e750-9173-520d-941e-9c12d3ec1d8e", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f7fde6a9-7556-52f6-8784-d1915ca61f82", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0ecd41f1-3579-50a0-8e0c-0739494c794d", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0e1183aa-6f65-5db4-8624-f7aaf31cd3dd", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:25e96d43-b5d3-5a4f-9079-db3219ff5f4e", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:96d9c513-be66-5d56-870f-65c0041d9e1b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.3" } ] }