{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3ce6ce5a-fa7b-5511-b4b5-8f01235c5750", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-instrument-tomcat", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:93af6f25-5b4c-518e-b417-2c9c507495ab", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:75bbfc6a-6aed-5ec8-a698-87e87fa583ce", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:73b83caf-6669-5b02-a43d-10c84095d138", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b7cfc869-3320-513a-a777-24f00a99cf7c", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cb2dfa99-ad58-5f09-927d-415be53e29c5", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fc70bfe8-c903-5656-b1de-101830951f57", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c312ce9f-03d7-5f4d-b896-3cf71d58ec67", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2b0ea018-9d3e-506e-a6c6-7cc404c731a1", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:56fff251-819e-5010-903d-c2ac429fbdb9", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ca98a79e-149f-585a-bbfb-97c54b163a2b", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9f9f9bd1-46bf-5a11-af5e-da2df8b7d430", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:240820a6-1b36-50b2-be52-13032c5258c8", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:38788d17-7c73-520f-9cfc-2e63d7f55156", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:83c26f53-9956-5813-8030-5f54c9bfd3a2", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b6ba723a-7814-58cf-9a93-8d164163a48c", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6f8915e3-eb71-55ab-a499-1fad54348251", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1101a186-11b6-5e59-8e96-d79f491f8849", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e89e2c30-9e9f-570d-adbf-9c8a3bfdbcfb", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1a06780b-67c8-551c-8183-30177ac38c23", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0318dcf0-eab0-524e-bf7b-5e26d53ec3ea", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c949788e-a8a7-592a-827b-3d2ddc882177", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a017d340-d8af-51f5-b729-fd7a58201a80", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f2ff54e6-b2fd-5819-b834-e20f80d5b7f3", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:839856b8-a8d3-5281-a805-adb834fc6032", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0523cbce-b627-501b-a6b5-b8df1c360cdc", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:83bf4ac0-81b3-5a5a-abc8-9e8f7e3b7be1", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:38aa7a0a-b98e-558a-83ec-b76951870e69", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f07c1c47-4ccb-5dc4-ad76-6db18cfc926c", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:459efb8e-a8d1-570d-80e6-a670c1f95f63", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:25bf2e22-97c8-54b4-aad5-c92c1fb8c3f7", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:510acd1f-326c-5f36-9715-790365e964ac", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a3913799-4e94-5241-aa7c-6e684275a316", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:78ec57be-45fe-5c62-9b02-d740b24e62f0", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:80419f91-1217-5366-bed0-0c4794506a17", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7614c6dd-66a5-50db-bbfa-039135a43680", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7a641085-713f-576e-9bb5-0f96ac1517f6", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d659f8c2-09f4-5c33-a302-cf92912ca58a", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:58ae03fe-6239-514e-8dbe-c7428ccf7666", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2b1dd1cc-c35a-5d18-9f2e-eb77adf969cb", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a25ad0d5-1308-554e-b606-cd72260b396b", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a095603d-6623-5d16-86f2-0a3bb7ece803", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e9d939dd-d738-5b65-af2c-3072e84841df", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:183088d0-1946-58c9-adb8-99933fd52603", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.3" } ] }