{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:08196af0-394a-5357-89c1-bcd30e7731b8", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-aop", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:6cb59054-bc71-5c6b-b5b7-cde63eac7b8f", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ecce928c-626a-565b-81af-dcaa8f77f2e6", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d8252f96-ed60-5aaa-9b60-7a51cd673264", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ca5fe795-0ef4-572b-9f44-2ef7cf85d6b9", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3443178d-6807-5a42-b1af-73e453af1898", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4b7b8b04-e82d-5dbf-9c86-cafc5d90968a", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:aa0d7b21-690e-5ea0-a460-3b5e6aefaeb6", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:890bdf69-5a19-5475-ba20-a210986464d3", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ab5dabbb-71a4-57b9-94d4-042bcb8d462d", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c8dee5b8-b15a-574f-afb7-e52220240dea", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:30ba3292-e95b-57df-8f16-02e92cbd6080", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:72d1dad0-5f77-594b-9df2-dd924ef0f7f5", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e01b5046-eb2c-5712-bf6e-d4aa9fca5474", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a30a14ec-085a-5f53-b000-857484a05e0f", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:79c8f141-8f9d-580d-bb40-60d591eb3008", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6c7daaa7-16db-528f-80ee-6eb32507cbc7", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cd8a942b-873b-5102-9dc9-b8ee740bb4a3", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:815d7928-5161-5155-8699-8e1918208e1d", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:088a962c-af29-5bc0-8c22-d7f1e26b47e0", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4e04ded1-8dcb-5d65-a1f0-384fa18ada35", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ceb66f1d-3356-5f28-9fc6-61684744a7f1", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b74ad156-5ef1-54c5-b2e3-be7bbc86a514", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:23c2c198-7c27-553a-a2af-e4f2740d54f8", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3e74135f-5e53-5f19-a7f9-62d848f5fc47", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d0f45d9c-3ab5-56fe-9cad-5072f57795a0", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a8549bfe-3f58-568a-8800-c9ee31ab8aeb", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8ce2d49b-b527-5ae5-85b6-eb904e82e8c8", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:97335804-e3dd-54d9-b04b-d05a009343d9", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e5bbd9d9-a244-530d-b69a-d78fb90d8d78", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:921ebc56-6ce8-5ff6-b452-6985672f1f1d", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:54a38aa3-fa21-5dde-9f05-9ef7766a9424", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:43e0c750-fa59-577f-bbdc-ce9a5eeaf690", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9cf604b9-f164-55a1-92f6-1bfcc3db9b4b", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2250a7a4-dadd-5b68-8b6e-8ebb8cb8e007", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:150893f2-e5ab-501a-8779-77692fcd0ab4", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b066eb8e-d112-5316-af18-59f2a4c31ce5", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a7dabe44-d248-5ae2-8856-37e78db8f421", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dfbb5af8-0a49-59f7-94ea-56a3316f26ca", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a93c262f-5e16-56cb-8ef3-aff94d2cf3df", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:14b070a1-972a-5b28-a674-fa1f68055052", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1e6f6a08-9d55-553b-8858-56d16bd279d7", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3654b2cf-dbe2-5e1b-8dac-4ef6010941fd", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:981c9c95-7b37-574d-8917-c48c3efb60b4", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-aop@4.2.9.RELEASE-tuxcare.4" } ] }