{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:52308c55-5d84-51f0-9e65-834595afaecd", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-beans", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f52d2e64-1e3f-5738-9711-3d54b2da8e92", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b7e27698-61dd-5964-958b-1216c721400e", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:49bd5b4b-641c-5aa4-a298-d41fe342cdf7", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:06b0fca2-bf71-5663-ada4-12fce719e9e9", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7975b73d-1f58-5fd9-aabb-95213798aaeb", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d3450d7c-8eb3-5ec3-9eaa-0eaa694c8ef3", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e7dcff5e-cb95-51ef-8434-af8a1e29c6e1", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0046382b-d208-5a54-b74e-2cdef9b1d62f", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:079859c3-540b-5d35-988b-f49933dc9cc9", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d7e028da-63cb-5ac4-bf20-b2826f2e28c4", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a37819f3-c838-54c9-8ea3-34bdb5fd2183", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4e8e8c48-5184-509d-a0f9-6c75abb25578", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7e4902a7-6329-57da-a212-57de688fa80e", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c8e4b3aa-7b9d-5676-9971-f1dd4d0d9de6", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:59365304-299e-59ee-96a4-7469076079a3", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0f3c7e2f-6e77-52d1-9bdf-7e68f52fac92", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fb8b22f8-9990-5e1c-825d-bfe4e8f899b7", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8eaffa8d-6f56-57d1-9875-788865f0c4d1", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:be7b03e4-569a-5fee-8d96-60c0833c8060", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:db1b78ec-0da6-5748-b3b9-c638dbb90a0d", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3f8097cf-d194-5636-a478-a66467a6c5fe", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8e81233b-92e1-579b-b48b-c4cfbb9978b8", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6543a5c4-d13d-5ab2-828a-18051bcb67ce", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e3d18a94-c194-50f2-adf6-3e2c01c7c230", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a23a8fac-8f50-56ab-9eb8-4f8f53426a64", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3c73468a-415a-5572-8dab-878e6f479dc4", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:505aa1f0-c9ff-5623-bd47-b9700a4579fd", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7687fe96-14c8-5f9f-805c-16bf1b7fe1b0", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2da4adea-3afd-56be-a1ba-2f215b6757f1", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:46c36f0a-5ba0-54a2-b28c-426c20e95d26", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0405fcb5-3fae-5ea8-9b0c-79021f68c805", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7f6d690b-d13f-5329-a102-c6994f50b68a", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d1c89e6e-4404-5a8e-b242-526930bc6860", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5a0ead3c-38fa-5fe8-8ad9-a71693f6ab5b", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1aaeaaa6-a852-5da4-b806-0c07d6ec925d", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5972c4d9-9b87-5972-90f9-5f4bc418b40b", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6ab9ad4b-7a29-5d0c-8ef6-bbac84aef1ac", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:eb72fcf4-8e6d-502a-8ba2-bb6402c0b729", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3d058461-1b8e-5bac-b750-9f8846cbb619", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0198bf82-18e9-5a08-8ed9-ec140fce7979", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:06154e3d-e320-52a1-b080-03dcf766e92d", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:01269131-974a-5be3-bade-18351342f131", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e90b8c97-0fce-580b-a01a-86476c0cb2fa", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.3" } ] }