{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a18b4eca-7acc-58d9-8da9-11c0ff8e3157", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:90566b0d-f7e6-55f8-ad1c-b9b78d970b89", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:64fee323-e151-527c-9cac-2bd36a8b6190", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c4a64136-7f74-53c7-8cc5-fa6dbea867f6", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c8b695ca-5d79-5d32-9086-34a79ba9c91b", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2c07c580-d669-5f66-bfff-5b7cd3bb1846", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:68a37dd3-93e0-526e-bd17-af61af7f0253", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2d2513ea-6c52-5023-9d98-460bcd5163bd", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3a4eec49-87fc-516a-add3-2d6df9ba6be4", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7a207347-cec9-5980-975a-eaaffc625daf", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b43dcfcb-e544-5c6a-976d-c89037286bd0", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e10ffcdf-d8f3-57d1-b1aa-6f1780c98780", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c63e7e13-ef97-5ed7-9747-c544856b82fa", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8c6c9d61-fe9a-552a-ab38-a973b4747f08", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:15f55633-2eec-51b1-a208-81c7015f7546", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:efe1d596-7b58-57b8-adb9-4546aeb637fb", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cc727d28-872e-5efc-a441-2f64fac216f8", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6d9564d4-b64a-5743-b7e6-12838f286472", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f66ab470-0b15-522f-a2b6-1a96a97ef02b", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8e57f4d4-a297-5697-8a41-930c430b7b02", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0e0bf866-6b31-5fc7-a5fd-38d175145816", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bcf5f91e-7650-502d-a45e-b6aa8084913e", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:95fe0a98-9d19-5b6f-a539-616836be1b39", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b12f0ab3-c5b0-5999-a47b-555568a4fdbf", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:825b2983-d786-5c06-b12c-ede29989e154", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a58f361e-64ce-5444-8e6e-ed5e843f9504", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2f04cb3d-5fcc-5518-8d37-d4ac0374421e", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8c29bc49-262d-52b1-9f89-e586a01c5b16", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2adf5b1a-abb5-506e-a3eb-66bd157158ce", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8467fc6c-c33b-51ad-9ce1-2a374679fcda", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2d6ca4f8-ae80-5f61-b9d2-dd0ddeac3b9b", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ff5be762-ab38-5eb9-94ed-99c5a11f5492", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b8939728-ecb7-5fac-8a34-92ca0adcdb58", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fadaf8e9-744c-5bea-8319-0af1d59aee43", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0ab6244a-24f6-5b20-8c70-0dd0cf4f1557", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:54c7ca89-cfb7-54ec-b22e-f4101aeab703", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fbcc4d7d-62e0-5248-a52c-afe5af9545d1", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:05d8c986-6fcd-523a-9e9c-0758499ae480", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:98cde1be-1c43-5174-b55f-848ac2635d15", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:da0ce0dc-5536-5a44-977b-ce9bebcbbdac", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a7776bb3-85ef-5364-afa7-0104c669ad55", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:56738f6d-ed16-558f-8ceb-8bdb02891e7f", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b620343b-f6f4-5a3f-847d-36f21bbb631f", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a9be4f01-ef5c-54ef-8c8e-f208dec2f8ab", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@4.2.9.RELEASE-tuxcare.4" } ] }