{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a38ce1bb-c6d2-5000-b69d-b4d8b88a0a16", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:657e5d9b-6b32-5f17-9acd-0d04a6a5d8a6", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f36d4121-40e7-555d-9386-ca422ddda91f", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b924dc41-0ae0-5a0e-9574-2b0685061c44", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:961d5009-dc42-5553-ab32-73e2345f540a", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:13a68f7f-e843-5b1f-9398-670577c5aa00", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2d8ebc44-e226-5bc4-9ab5-f47709ccfc0e", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bc1294f4-5555-54a4-9ef4-415eed473811", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4ef9850d-ca1d-5879-8569-5ee1263b21b9", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8a2971ea-3b79-5743-8843-cc7ebd78ffff", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5461d8a1-a1b4-58bd-8fa7-07f33a866205", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:02f947b1-5fdc-57c4-bbb3-70690eaaa263", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:21cf1497-87c1-5533-8758-bf8e9c1a1fd2", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8e8dfc71-7964-59a1-a2ed-85c5c2d27a97", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:adf5c4cd-dd18-54e4-be61-bfb1911486da", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c8c0c129-828f-5559-bf02-c2180b136fbb", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cf084769-b0b2-5757-8a74-d5d37595ae09", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:06796626-51ad-5495-8fe2-cc5cf878602c", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fa26ac09-5000-55e7-bc10-a017c852e85d", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ba82a493-5fb2-5ea0-9abc-fa3d998e5ce3", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fe4111e5-9ddb-50e0-abe1-06173c099dd6", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:606590a5-4f39-5d0f-b736-862a9a94ba52", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b3194f14-8d0a-5591-b669-8fe34511abc2", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a39ed5be-8ebf-5656-a71c-91fe3feac149", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ec44134f-107e-596b-a08d-dc6ba7af735a", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cf1186bd-4b92-5c23-aaf9-82b6bcbc4789", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:df52d213-8135-5962-b77d-95a84a5c550d", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1afe437d-909d-5592-bf67-901cf4f69eda", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:19b45bb6-e0c1-5cdd-b1f9-e8892bddf354", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:94492aca-428e-56cb-a4d7-587d1f99fb67", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6f902d0e-4f0d-5d84-bd1c-1970586d57d0", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6d16a9bb-b953-56a5-96ea-a706635c0d22", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8589e8ae-e34b-5604-b0d2-835e7ca0c4fa", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8baa539f-4d0a-568a-ba2b-eacb3c2891ae", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:671c40ae-f8e5-59a5-b4ec-97ee34a61794", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:36bf4f3f-9c0c-5fa2-8690-f8270abc7799", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:35f7c50f-a27c-5c6b-8490-0f9234079865", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d2245242-3834-5ae3-b5c5-19127498e913", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:063958d7-bd6a-5028-b1b8-993393ff91d1", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d9f4a3c5-3ed0-5fb6-9433-43677111ff6a", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c7d207dd-0ef8-5560-b494-361585a9aedb", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:86541188-854d-5987-91c7-b974953de381", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:69268a9e-367d-57aa-bd61-731931e85e35", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:19ab56b8-099c-55e2-8112-ab57c0938120", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.3" } ] }