{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:9c5708dd-d1b6-51f8-be5e-32e04000c28f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:e2f3fcc6-b5f6-5d95-bb9a-a4e00eb0f767", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1105c83a-798f-5773-9116-e7167032969a", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:db7c2d80-72df-5b69-a6be-70f7ac131329", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:55c60443-59d9-59af-9762-ffb58085bf7f", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2018e85f-735c-5d66-bae4-8bce9cef085f", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:855a548a-f28c-5b12-966f-4fe94069d81f", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c62ec544-b8f9-5866-976b-070df9562ae1", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7bd13020-420f-5bba-a34c-504e89ee15dd", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:117d4dd2-3fb0-54ea-906e-419a9e698909", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:96a3b41a-dffd-5bec-8109-b5b7a4ca0d5b", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:19baf1af-d069-52bd-a15c-9987157bb150", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5086d010-0631-538c-88f2-4d33380267a9", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dbb3d744-a0b1-5ad9-9733-a0156436b161", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6bca624f-2ade-53a7-ae9c-ea139a712e95", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cb417303-76cc-5e17-8b27-742298ab6fe9", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a96ebc07-7399-5a0b-acf7-8509919ac603", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:727d2586-7c42-5015-9ccf-73881fb138ba", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a73f7ab3-58f3-528b-be77-b342d6f520da", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c3f73e0f-383b-56db-8779-d9cc7f401df3", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:18063d0b-3603-5fa5-8c8c-0d2edcef5e8f", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4648d961-7c70-597e-95f2-1efbc7d9b4e1", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d5b5c9f8-57a4-59f5-b72d-974ebd934aaa", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:16335769-3d15-57b1-9774-18f9fc85019c", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:15c3fd01-0244-5f64-a270-71d95ddd37cd", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:15bee0f7-bff7-581f-97b0-32a8862d237a", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1556c78b-9719-5126-b377-df3df66eb45d", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:eb885dd0-0015-556a-8791-8d1c16d315b6", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:74972d09-e4b0-519d-b8c8-c6815d393304", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4fc32d52-9416-5d9d-b6fa-bd84ea84ec22", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9f173b0e-4d1d-5ec6-a8db-46ed09bf8cde", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b4df546b-a27c-5a2f-90ca-03f117cb246c", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:59a5fe54-9a47-5de4-9acf-85c22334d36c", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6ecd6121-679c-5dfe-ad65-7c1d47b39dae", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7107d077-bd4d-5e99-bf62-a0bbdac0da97", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:797834c3-3f28-5fb1-bcac-213318398141", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bc2ce1ab-6cf5-5377-8ad9-cf3894349a5e", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f0cbeff2-d5ba-5c84-9ae9-69e8b6b3b09f", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:715acf3e-68a8-57d6-bc46-3af7046c217a", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ab671e5a-45ad-5f72-865a-c7009a77112f", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bc967ab2-989e-59fe-a030-60bfc127eeb9", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:47e51042-c1ce-5133-860e-7eaf077e5859", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e86e6f4f-bacf-5591-a18f-68ba9d76a1b0", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:92ea169c-af8f-55fe-9af0-ae26d9afbd49", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@4.2.9.RELEASE-tuxcare.4" } ] }