{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:dc3f55d7-4e0a-5477-9810-35336813e644", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:571ab95b-c0ab-5703-b0a6-158268253b77", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0f93f497-a587-5cb4-ad50-0f0f9bfa7167", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d9f8076a-375a-5f96-8988-bb4f0e6c813b", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:56a83f97-64e0-5abd-bb9a-8b0912897358", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e0cd2e02-44b5-53d6-9cd2-dbc605c2ae26", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f762183e-08d3-5fee-8386-20df2f2ab9cc", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:28064497-8606-5ad0-9c65-191eaa4ae78c", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:726994a9-1ca6-5718-845f-4d838a6fd6b9", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:427ea0fc-5c61-505e-8340-e9fe1db84f17", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2b641b03-ff0a-513f-b333-d2e7ead7b220", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:be4410b1-0c4a-55cb-b510-d212104dd711", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ecafd0cd-bc63-59c6-b9b4-b84155d7492e", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f87a5dd3-331b-5809-8c84-6cd09b65f68f", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:716cec84-1366-5724-a5cc-e02e83959f8e", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:05ddadfa-d055-5954-9f8c-d04d51d472ec", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f218634e-804a-5360-8708-06ef14c846e6", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8f174e17-d9f3-53ab-93ae-90401ac22233", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c4aed2b1-6ce7-597a-957c-f2f359ff90fb", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:588dfd1c-d25c-5178-804f-36e440cf6d21", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:34adc673-6c71-5594-9c23-ede46ac34c1c", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2a63b0f9-2ae5-5034-8926-d2af5a06c4d9", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d0799605-63ba-5eb1-b3d5-4315fb7da667", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c861505d-d3b7-5ebd-8563-82e3765dd0db", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2d4dcbd0-1da2-528a-b5c9-e5cfc468b40d", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2caf7507-e5ad-511e-801b-690cfa6093cd", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ec618dd4-f4b6-561f-8900-16ff81b5accd", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7c69091e-615b-5cf8-8fc2-afecfe67deaf", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0342c62f-4a92-5f3f-a836-5729828edd39", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:14432159-1a6b-576b-b200-31c16bbc150c", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a04abe41-e1c1-59fe-8f51-03e99f670222", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fc30b15a-5bcf-5b59-953f-04e07a07985a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8910a15d-c6e4-5644-a2fb-1e8722c3f370", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cadad63d-c592-5c3b-a166-f1940a3a6ea4", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e529c7df-e742-590e-a62e-c4f81307767c", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e65bf77e-0e75-5e00-a57a-575236390041", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6ae8e9fc-23b5-5895-ab93-c2b89027f171", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:440fc066-6b0f-5dff-bb9a-8f0f38044510", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dc20f3f2-9f97-5e01-ac2f-d988b4812691", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b00fbdcf-a3a7-52d0-a6a0-1035d21abdf5", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a27544ad-3bbb-5bad-bd1c-63703d8db08d", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c2f04039-6a02-5736-a00e-6bfe93401d7a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e775eafb-a74d-5637-9564-2aff3edb69bb", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:273d537a-9863-517e-aef0-9ed88f357ee2", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.3" } ] }