{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:b9a56aba-4582-5659-b5e9-41216c8ffd04", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "4.2.9.RELEASE-tuxcare.2", "purl": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f2d4a7bc-3848-59c5-a489-f1577eed8e1e", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a86ad5b7-d537-58e4-9580-3e36c86e527e", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:595be455-2dda-58df-96e8-57d18148b846", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3fff0d8b-2616-51b3-96f5-1ecaed83f234", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:af8e0ccd-2383-5c54-ae66-c5991087b0b3", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c7abb89f-c30f-533d-bbad-d9d89ebacae7", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:48820ec0-55e0-5d2f-aeca-baeaba2c2c78", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6515304c-81c0-5377-ac66-ca144d1b703e", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:50def077-d259-5460-a944-ce4053cc840d", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c91b8f6f-7226-568a-acbd-a206f02b180c", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e087de95-57de-5766-8d35-da23a89fdaa2", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3af45c64-4b1e-5783-a1a7-6b826a56f9c4", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:44246d73-8959-5d6e-9a0f-bbf8291f95b6", "id": "CVE-2022-22965", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22965 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fd6d7f0d-0c81-5e58-ae55-5253d24f03a5", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:74b3f9f4-c4a7-540b-b7da-a99242a48ca0", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:bb53e242-a7b8-578f-be53-ab1ae1e45f0c", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:926390e2-4594-56ea-adde-1a6cc614fa01", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8f0d85e2-c203-566b-bf5d-4fd41ce5def3", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b5e0596c-2c54-5344-ab9d-4db8e9cefce7", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f1f837af-44dd-5fa2-a7b1-0cef27dc4e5c", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a5d75c74-64bf-50bc-bc22-b031ac49cf15", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5301cbe2-a1b7-578e-8253-3043d3dc853e", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4d04d00f-85fd-5162-bc9d-06249495167c", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fb10dbb5-9e23-5f5c-9ca9-9090df2f7019", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:334562cb-d9f8-51af-bdd5-3afc5c78d923", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:32b25aae-e65d-5b26-97af-e497e1acf9fb", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:353d7103-25a8-5daa-bf4b-e1fd0541b560", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:73941df7-dc83-55b4-8a1c-f1d0f87a47fb", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:410a7f3f-8516-5778-a06e-7da849d15979", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d4281de8-1f3e-5151-9be3-c55cf7b287c0", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:dca609be-0de3-502b-acf7-f236dcfbd04f", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4ab19ad3-0424-57e8-923a-19048fdeeb44", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c8563f77-4f48-5390-af9f-2def893ec2a1", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:26e2b5b9-c058-50b8-935e-d73a5cfb1913", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4e9c17fb-5629-567f-a978-057fbdecacf8", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a0dda369-c363-534b-8f0d-2a9d1f5b540d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d15c8805-3073-5de7-9db1-4d9ad3a98b71", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4d8b7353-9feb-5511-bb12-bdb780c8a335", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8015cddf-861a-5cd4-98d5-b92954dd7ea9", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7c23d68d-6af9-5bbe-91bb-0730849e982c", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:bbc017ce-cbdd-541f-beef-459e0bb0406f", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6fa4152a-22ec-5092-8d67-eba42a291c9f", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e8f6f84b-d68e-5774-8afe-e42da08025e7", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.2 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.2" } ] }