{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f79e3456-f41d-53eb-a261-3803986dca79", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-context", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b5c88cc0-790d-5eeb-8bb8-d1df55ff2413", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:42edede3-84b6-5970-8e84-5af7bd12617c", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:400ecc63-c4c4-5d6f-987c-6fc691c3fce0", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a3bf226a-4d5a-50fc-85ed-8ee34337c0ee", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:513f6502-d243-5959-bdf5-e3041a7aa47d", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2ffe1a18-b349-527a-aa96-efabdedb8637", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a494c553-f656-51d6-b5d8-1567e06cfff2", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fcc2d608-e785-5b60-8ed1-aea044187549", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d28359ee-9aec-5427-80c6-2ee04204e5bd", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e5841b2d-0f86-535b-bd37-2404944962fc", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:92421794-34fc-5e31-9f18-cddbdaa50475", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:abf36198-e296-5a4f-b897-c72f05f993b4", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d3f9cc75-01bc-5688-b544-ad73619561ff", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fa5b2c55-93ac-57f3-9419-4ae8bd382cdd", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cbeda6e2-5bae-5406-b8fa-bd711f03d8fa", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2c625682-722d-5516-980f-d5397c28c12e", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f242f068-e3a2-540d-acea-c7c53ef85ada", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:57efe7e4-b1e2-5173-9a55-2e90d8a0320f", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a35909b1-b074-580a-b1d2-b23c600750b2", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0b8553e9-6c03-52e0-841a-ef97ed70c944", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:53076337-b5f9-53ac-823c-689ea9eea486", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:586da316-34c8-5ebe-8220-42c2e90b93fd", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f5056af6-0fae-58b2-a7fa-a120902d1404", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:68ab1960-7d87-57a6-aef7-84cc263b4201", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e9c95fde-553e-5269-9cb9-0ebbe9c8bafc", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c0aa610e-6325-5d0b-9d03-3d9ff808e981", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c85f5ec6-a957-556a-abd4-a0c893a466c6", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:06e77b0f-b156-576c-9f89-fc3c3174ef0e", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8dcbe9d3-0695-5597-bdf0-849edce40905", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e5d2473d-363f-52e3-a7db-b9826ce2d90b", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:62dacd66-bf1f-51c9-bc20-7766fd951391", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fc585382-5882-5437-a31c-474c06a1a5c6", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:708b1d8e-fd32-5a20-9b82-05f549e254af", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6b42e505-b38a-5451-9daa-9fe36de84ea1", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b8dfa02c-5dcf-5104-877c-5314fb01fd14", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a138f775-87d9-594c-9e45-20239cb88c26", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:df5ed6c9-0dbd-56ee-a414-1ee76f9d433d", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9a62d046-638b-5b23-a0a0-99581e6be522", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7ee1a792-3d41-5843-823f-a260a574f9b2", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cf01ec02-edca-5e42-813f-b9438d01f5be", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b674c1a3-b029-5673-9573-fa25be5b655a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:04a3fcad-e2c5-52b0-b871-b7eaca4f7632", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5253587f-e4fb-5d1a-a338-70d9346ef505", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-context@4.2.9.RELEASE-tuxcare.4" } ] }