{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:4828318e-e41d-5148-a444-efd436b3e456", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-framework-bom", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f989cc02-f9cb-5ec9-a59b-2d6f7d8b56fd", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0a40b9d7-1043-5429-9804-5c31364e6e6b", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0c65912e-e163-572b-ac9c-648c92e531a6", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:37d9db24-ceaf-5a91-a4d6-b91cc38d12e4", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:79b125fb-bbfa-56c9-95c5-b14c377ad36c", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:20d1079f-db69-5712-a94c-30346eca6b79", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:24b36904-d7ad-56ff-a3cb-5f61aa1b3257", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b7f714f1-cfbc-59dd-acb0-9cc83566d71a", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4bdfd07d-db56-5ee9-ac2b-a1aee8fc3fa9", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c1f1d296-7149-5fdf-b531-025392a1d4b7", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2d728e23-26e6-517f-8171-a0cb6546e187", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b2ca133f-b354-5528-b6fa-30b9b2560d1e", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:421af0f6-f120-50f5-8510-2e23a3a512a7", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b42bbc24-c868-59e1-9dba-dfb6540074ac", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7c3cf9b5-8e2a-561f-b952-16ce418dbc5c", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:29146be6-81f3-563a-b6ec-3c8f5a3bad22", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0299f30c-6eba-582f-a317-dafdbefbc417", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6a9ca835-2109-5e98-b5fa-e73ec5e111bf", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3da050fc-e951-5c52-b58b-89b58c51cec2", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7d18b65f-06e4-5d0b-b0ca-afcdcc3d40e6", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:56f83bf9-9e7d-5112-8ed2-930e85d7b726", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3c7ce2e3-c0a7-5879-b686-fddedbe4ea37", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0e58c1af-4f8c-55cb-9e66-4718ad4c9a65", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:537146ce-3d43-5be4-9fa8-018383b8178a", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:00059e68-ea88-5556-8f3e-e54b3c51e43a", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d1e58a71-2cbb-5de5-a714-1178267a9743", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5c1d8588-b64d-5ab4-a51c-f180ca109cc6", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:169df8ea-eef0-584e-8bec-b1e73a2b5606", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dd311980-c60c-5b79-9dcc-c3555dd03c59", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e2065e3b-aa5a-5522-b3e5-b62198795b04", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4e246e18-f838-52e9-bc86-18c464686ab4", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fff615bd-3cb3-5d50-8ff9-255b97ce7a4d", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d3e54193-f224-5a73-b677-5bc7b90b12af", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:448b5d46-cdb4-5871-8f01-9606f92241b6", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:75813deb-3fa2-51d4-ae65-93535250abf8", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e426c243-f76d-54be-baf8-dcb8aa079737", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:025283a5-c1b3-557b-952c-40c734b4b3ca", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e02e8bc3-ece1-5aab-a8c3-61495aef88c0", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e023ca0b-9010-5c8b-99f6-0c4e963671aa", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4d4f5571-4033-5045-8447-635413306554", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6651be68-9d66-5a94-8438-b4f1d878e7d2", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3db77e06-9bc5-5262-8e89-ae2ed71eddc6", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:63f62c20-274a-5743-bc13-0c906e84c4eb", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@4.2.9.RELEASE-tuxcare.4" } ] }