{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:be5f50c5-cfa6-5bad-9990-33caf633c104", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "4.3.30.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a1f4b66f-03e9-53f9-9a51-e9ce81a9974e", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:da563de6-5abe-5258-8e0e-fd2da4d20d3a", "id": "CVE-2020-5397", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5397 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f9964806-66cc-5b17-ba6e-8bcc1d80e66e", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a863f64e-9bc9-5711-981e-e660db7a6e74", "id": "CVE-2021-22060", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2021-22060 does not affect version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core. already_fixed \u2014 CVE-2021-22060 (log injection vulnerability) has already been fixed in this repository. TuxCare backported both CVE-2021-22096 (predecessor) and CVE-2021-22060 to Spring Framework 4.3.30.RELEASE-tuxcare.3. The fix includes the LogFormatUtils class and its application in 9 files to sanitize user input before logging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4fd857d9-7876-5f6c-b6cd-3203b8d3d35e", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3d527cde-b740-59d8-8e25-0762b59c959b", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a66ffffa-bd00-5c67-9165-8c76fcabb1c2", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f502cad7-d558-562a-9ac4-7faa49465ab7", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6c39a5c3-1f07-5870-a1d5-61e3b04370da", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2e92db9d-5124-550d-8dbb-deef4cb7d731", "id": "CVE-2022-22970", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22970 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:eca03e71-74a5-5bcf-bf8c-88113f5b3992", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:18d0f096-14f7-5dfe-b92d-9bd0d1484cb4", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7dda7ccf-44b7-5bda-a76f-2a19bef902a3", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bcbf720e-3802-5efe-8b17-5b80175c0689", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e09f2c63-5e70-5d9d-8521-f4607953ee4c", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:29d8ab4c-10ae-50ec-8de8-b187c2c5e941", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f2237e9c-8e08-587b-b150-06a62b61968d", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e5e38532-288e-578f-abb5-e419d8dcc83e", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:37e7fe8f-eed4-58e7-b468-bda31935e01a", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:66da7c46-60ee-5e29-85fa-d5562d1f7b94", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:72653489-bda4-5d67-90ac-596aa7eecb7b", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:68272c7d-8c20-5036-8223-e581f322d40b", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:564d0879-8e23-5998-9e4e-19f2feda20dd", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e8cc82cd-84cf-5ed5-9043-59f91b39b71f", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9b1c9026-4764-5bb8-b337-a3a3fc8f4f97", "id": "CVE-2026-22740", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-22740 does not affect version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core. CVE-2026-22740 is a WebFlux-specific vulnerability (reactive multipart temp-file cleanup in org.springframework.http.codec.multipart.MultipartHttpMessageReader / PartGenerator). Spring Framework 4.3.30.RELEASE predates WebFlux entirely - the org.springframework.http.codec package does not exist in this version, and there is no reactive multipart code path. Per NVD, affected versions are 5.3.x, 6.1.x, 6.2.x, 7.0.x only; Spring 4.x is not in the affected range." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b06f086c-5bbd-5982-b598-203c0f99c190", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:776d75b6-2e03-5684-bf24-132964210337", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d13845d4-3a92-5c83-ab92-59230127868b", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:817cad2d-baf5-5b16-99f0-db029fa75709", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b79fa8aa-a85d-599f-ac5a-bc76df61a3fb", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:413992d5-b8e5-5e5d-9298-0c711215cb7b", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:266c83cb-580e-54ca-b995-21f578b40215", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:14917359-0199-5848-8fac-10b7882e54bb", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f3d1ab6e-172e-5d1c-9d7b-0341d45cac35", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7adc7218-7409-5acf-8a7f-efbfece0cefd", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:072e6d14-906b-5f9f-abb6-c4c212b9150b", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ef9d9612-ce4c-5ba3-93af-7f7e56115347", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:813e4db1-53c5-5dd9-b2d1-5092dba03a22", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:19709c5e-e6f9-5b62-9f63-a4f32330262c", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core. not_affected \u2014 Spring Framework 4.3.30 is not affected by CVE-2026-41853. This version predates Spring WebFlux (introduced in 5.0) and lacks the vulnerable component DefaultServerWebExchange.java. The vulnerability mechanism - Spring Framework's message reader selection based on wildcard Content-Type headers - does not exist in this servlet-based Spring MVC architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7d5f2a95-18b9-5c39-b5c7-fecf55025d3e", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@4.3.30.RELEASE-tuxcare.3" } ] }