{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a7d8dccc-5b19-5454-ac21-9b6223f4f9aa", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-framework-bom", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1870dae2-c957-5998-9b10-8ac631cc1f6b", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:75daa72a-31c4-50a9-a02b-4f11873a65b0", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:82750cd0-b536-553a-928e-6373bfc64a6c", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3c881f95-1061-5c15-8086-25a8c3e2f0c4", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b5bcf9fd-d0f5-5e8b-ad53-9fbb210ba27f", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6f0cb557-1afb-5a53-bf80-a88487880497", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f49082a2-78f3-53ee-90a5-b915113cb908", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ae9576c3-f91a-55fd-88fa-a73c8097cde1", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0f16eb81-4d69-5748-b78a-0afbb3821071", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:73ebadc7-3ec2-5c59-a604-df6e5dcdd86a", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3a406c9a-bcc1-5c04-a354-3b3942d8f2c1", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e9612339-859c-578a-a06f-11ecd8255bcf", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:63480680-e8f2-543c-a43a-d9d57a2536e8", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1ba11ec3-fd42-5fb0-a777-6980d1e04cf1", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:789119e8-3e2f-522e-8a35-6c7e24f26981", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f04d8113-9acb-5acb-8a91-05316159135e", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:82856bbe-0dd7-5afd-90be-3f22a10141fb", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d08657dd-5996-5349-ad9a-d85346eb4f42", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2c0afa31-5bcf-5a9e-bb30-073eb31af4c2", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e063824d-c2f7-57db-acbe-f0530ffdb9fd", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d4b8679c-634f-5cca-bdfe-d3469156c7d8", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:45bc2023-d4ec-5430-ab00-ded29ad7e0be", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c70e1f38-db89-53ee-9d82-71e2791477e9", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9f46ca2f-ca0d-5abe-b482-33defbcd02a3", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d39e8f5f-fe95-5695-9f3a-927d23768169", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b2a5a1ee-7d12-55a6-a43e-40112ee4150e", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0f9cae70-90ff-53b6-b648-1b696d1309f9", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0996d6de-6612-5708-ac60-46f456a25380", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:78db97cc-d3b4-583b-8b25-2b8c633be281", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1e8eb252-6838-58ce-bc58-8a2004a846b5", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7020b512-043e-5c4b-8746-163b1fb98404", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7acda385-1a5f-5321-9721-719071ff8d15", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:98546684-53b4-5b5b-aea9-1da66b67249a", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:68176a56-66db-52c0-a72d-3d77eb163915", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6a6dd6ed-547b-5e59-b4da-020f7d675960", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4dfb32c6-2d5e-58f3-9f0e-205db3680622", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5f59f701-b6bf-53e1-a3da-bd259cc19653", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:41abda40-6b92-5787-ad1a-0bba2d76f4bc", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:62faac61-428c-5ff3-bda7-5109ced7071b", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f65a7ea2-9010-5e60-a626-fb8134882a56", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:723ce5c0-00fb-5367-aa52-4db5d3950ad7", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b518ae69-9f4f-5da5-a065-e5f26237fae9", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d0edf37a-cd04-589a-84f5-0d742ac95b18", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.3" } ] }