{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:9f8c6505-0899-5ff5-bdc1-0b9a80ab193b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:37fc5886-6fcd-53cd-b8a1-21c90c59a166", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3c33614f-9c1a-56e2-8283-ac6e21925669", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:74c72585-67cf-5d08-84ca-fa795b5241a3", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9d7d0cf6-7022-5bbc-8671-0fde81d53af8", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8fb36fcd-efe2-5712-b8d2-35df2ccc3bce", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f08cae2e-0751-5665-8d8a-dfc9eaec4256", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6e93344c-7d84-5d9c-89a6-b9f43f29d167", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f51d650c-d5c8-5e35-8712-7f0b7bb1e5ec", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fb42b7f8-843b-5f7e-8547-e0c546100fb1", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e4382d83-919d-5fb8-89fe-8b482ba90fb7", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c82debc9-0855-5f6f-9166-6fe3f142d2c1", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f7ed35f3-53bf-53ed-b370-e14fa63a072e", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1f1e6ea2-4749-5d5e-9911-6b56932eb791", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5ede4cf9-d45f-5cde-9957-95a9c0222de2", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:628b0c33-095f-5272-a01e-29a2cdd9a66a", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9b15d664-017d-564f-a28f-92ac9be454a7", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e992e043-f995-5af0-ba69-e02bb7b6cb90", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a9be8a7b-5816-5116-b616-cebc0af2ac35", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9cd9547c-f031-5c39-8610-986bd93881c4", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ba64678e-27cd-57d5-94b0-f9ebfd805675", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:93e63e1a-42f4-5c48-92c0-8e2e907cb077", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1ce52573-ffb8-52ba-8d22-b037e71dcb4a", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:db95818a-a149-5a28-a946-d828cec22d18", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:50c3d8cd-f09e-55de-9439-baacc70772d2", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c1bd2a60-4296-5049-a3ea-01c2ec4a745f", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d11e6926-1815-527c-87a0-3e53d0a4a73d", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5a037ebc-6775-531d-81fb-3419f8cc78bd", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6a575f10-8478-56b1-ba0a-742918028c6b", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c4d50b37-7d83-5218-82e5-60e03ff9c19b", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:698281f2-db12-57fa-b2be-71ead63c3d3c", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:865440b1-4636-5703-99fc-a6878cacc595", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e39f1139-74b0-5ee2-889c-112b08298bbf", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a6133324-0ef9-5be9-bb9b-9bfc6355052e", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3613c067-9e30-5d2d-8cb5-931cabac7625", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0618f656-1896-5630-9567-807c6a72bf12", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8c9d4745-9d88-54b0-b11c-334f5455e471", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:93b6c038-147b-5ae7-868f-1f046debcf79", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4f47a91d-5683-55d7-95aa-e29c82350435", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:52888d4b-d90d-536c-a139-36d5c0714413", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1ef5d3b5-dff0-5122-852c-e210596c85c6", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8515d96c-b639-5f72-b3a8-3d61e7ffef69", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cd44b5fc-490e-5914-bdd3-5a70ee61d5fb", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6ba33fcb-4609-5353-9903-38728c3fde7f", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.3" } ] }