{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0bd22c78-2ff7-594c-810a-3f363a21c6db", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-instrument-tomcat", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:0737fd89-0954-5010-b993-5ac9608a69a0", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ded64713-c759-55fe-8bca-6c38d1ff267c", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:43d88249-ff7a-5273-b644-004465916487", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2b8d9429-c24d-5d47-bf47-990743424f5d", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d3dc2715-560e-50d8-8b9b-b07df3afeac7", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1187057f-b0c6-5c80-b6dc-122ff98d78df", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1e3e00bb-1f07-5ff2-800a-00715009f89b", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:228422b6-cc21-53b5-8625-e94eef933fab", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:05d5d467-9c2c-5542-8060-a157d2d0a63f", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bf628c8f-2599-564b-882f-d38cfabbe736", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d92e0750-e6a3-5b9f-8580-3393b4006b64", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7c9676e9-b7aa-5b6f-b947-04a8e3f14481", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5ccce95c-af48-513e-b0a7-d251a8d4cdc1", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2eaee8f7-ddcf-54be-b572-6ced185d8cd3", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:092e0a7d-2876-51db-a615-4de616fcf8eb", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fe4cd544-66ec-54ff-bff7-d0dac1cffdf1", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2c3a15db-137d-5364-a097-570fc46d08b1", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:08197b9a-4d86-5e17-9da0-67be35029259", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3d2cb69e-98cd-5f7b-b426-d8137d006851", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1b2f78d1-ab30-5e77-8585-22d88fdd46c5", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:29d27449-9d85-529e-9af1-ea4efa979e1d", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ea1f37ac-7f3d-552d-a84e-e9b8c75b0095", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8ae9da3b-579c-5b48-ab0b-83f414db697c", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c59aebcd-94c3-592a-a9f3-f346ba637795", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:65a7a412-3327-518b-a6a8-b3dbaf3b1e54", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0675b32b-654e-5c0e-812b-167b5c84a2d6", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a866a794-aed6-5788-abff-3134f4c290ef", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:52560b0e-6706-526b-b268-148fc8ad7194", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ac1f038c-a8e7-5d5a-8e64-6e166ae5a02b", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9bb4e7b2-7acc-544f-8999-e4de9877c1c1", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:302d3f8d-8c83-5542-8278-49c094c34548", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1b96eea9-2bf8-5b9e-ad01-e5c9ff6d66a0", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ccddd359-70fe-569f-8ffc-8c47ed9cfaf7", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:86901142-1a49-5a32-a422-6b652126a376", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:df4f01de-bfd9-5553-89b6-9aef44bb5cd1", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0069bac8-9a68-5fb4-8c2a-7dfe2d2036ce", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1b3c25c8-3c37-5e48-b966-8ed6cf016b16", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8a153c3f-ba08-5931-ab13-8af94dbb576d", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:755f8f16-bb77-59cc-8c98-51d1636f5332", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:75c53546-59fa-5a6f-a7e7-3768df310604", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d1cca4ff-63eb-5e36-9e78-3e5b91253bae", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2a1cd239-3d0d-5443-af51-d1aad9561d56", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:06214d62-57a0-5e79-8c2a-2a1220e2e8ae", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.2.9.RELEASE-tuxcare.4" } ] }