{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0f0c9d22-f113-577d-a333-37f7b4ee6a2b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-beans", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:8f711767-5941-5840-908c-be80531c6059", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8849651b-8b0b-5f64-a959-670da84be3a9", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3015c534-c478-553d-8d04-d4ff0b43b8f9", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d7991488-ea36-5cb7-93f0-1526e0546534", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:459b6ea4-87a5-5072-b0ee-e739e22fc367", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7090413a-e359-56c6-807b-0e36437d249c", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8f79a9c8-0015-5260-ba48-ab2e9117b6bb", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e5dd9784-f720-595c-b8e4-1360c288fd48", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0ba06d55-225a-56fd-88fa-ed7a3f5b0a0b", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6fb9a2df-182f-5c88-9aa1-d05aeaa17b68", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:81b24dc4-fee7-5788-aa58-20ee25cd0d10", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b8c2ae29-d78d-5d81-86ab-385924886969", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:55a3b234-6836-5a1c-b7e3-0331ca0ac8de", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ad1fbaaf-142a-565e-aed3-42841045e9fa", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c1b58fb1-59f4-5a3c-954e-e4a7217e99c5", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:94683c36-bfc2-5dbc-9601-fa2fe48ab4a5", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:516a94e6-f072-5136-baf2-b20cd48a446d", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0ccb2a42-143e-574d-b0a3-3d82957370c6", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:230c3939-6329-57f2-9106-405f5d939c50", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c216f1af-0de1-58db-8a73-8cf9ebf84777", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b8f7ee79-9698-5ec6-9b09-666aa0746eda", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:94fb9d64-3364-59fe-9e68-b36d7b831601", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a725d3f5-db30-5ab8-9d38-4cd438fba8f6", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ae8669a1-eda6-54a4-92e1-7422b986da22", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ed579417-76cf-549c-ac9b-4ac8eebb824a", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:41004082-6926-5e50-af8e-eb3672a2be74", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:084976b9-8653-5010-870c-275cf1d3807d", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b67c6d1d-420f-5931-a04e-e658a9e29ca4", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:829a31b2-904d-5f54-9295-54dfa4a28977", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:381de12d-2aa7-56c5-aff7-166e0a50e6de", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:32edfff6-e648-55b0-bebf-35e0e715f7a9", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fbf0587c-5089-5275-afe5-4db040081959", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0eef655d-e6b3-508b-8577-2b8de5f4af57", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8c1187b1-01ff-59b6-bf2a-9adb6c9bd5c7", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6e47d8fd-dabf-55a4-a879-cbb3eb7470f6", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3d7a9cc2-f60d-5764-baa1-c588bb44b06b", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:db0ae4b0-cb9b-56d0-9651-946d2954add3", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:27b50c84-38b0-524e-9b66-a8c773b17c7a", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c1a39734-6161-59ea-ba60-99b890c6c21d", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:44d265a1-9a07-5288-88cf-96537a96f0a6", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:33edfac1-a434-523a-a0d0-5aa2f5f8b612", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fa53b823-af16-536d-93bf-dd61722fd53c", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:135582fd-a81c-5f43-bd1a-28258d91e297", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-beans@4.2.9.RELEASE-tuxcare.4" } ] }