{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:7f09af7f-80d6-54cc-8f7f-1c859cd65c79", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:6bd0a728-19be-5c22-ad55-1a659f3c4356", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6e4e9892-621d-5e32-8926-d451af62a6f6", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9fc24bef-302d-51df-b240-07237f45e5df", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1aa36d4d-747a-54c3-8737-c5447b4edad5", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7f36fb92-1cc4-5b03-a8b4-2dfc254ed06c", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c2a54e30-713a-55d0-8ac3-d3f003e1e3a0", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:45b8a70e-0dcb-5186-a735-51f0b11b1688", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:73f5f4ed-87ce-509d-9919-bd285efde725", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c190688f-1d9b-5ebb-98c4-e7c4a73b0a50", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5743763c-ae5a-59d6-b526-c1a3ff0e0af0", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bc6b1943-e88b-51e4-9526-afb212159315", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8066aa89-a50c-5a0d-9473-1ac370691cd7", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:308b5856-cbb2-5e9e-93a2-65c66b3b3f6e", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2f74bd84-2379-54bb-8e33-340435c50387", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9d8b6cd4-3641-5d87-8ca4-d12266d7b96a", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6f1a8ea0-bd33-5c1f-9e66-f27b3bed6270", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fe0db780-f3e0-5c2a-97ba-6f0640113e7d", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c8c8a23b-57ed-58d8-81b5-0dd9e8cc2077", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5e51e800-60c4-5ea8-b386-95b1dccccb7a", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fb085573-a798-5584-8e6a-bd50abdb386c", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8084f170-dd69-5ff1-b98e-9a28240622aa", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7f3337b2-fac0-537b-8a9e-16c949b6f861", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f5765a31-0d7c-5f49-b9a0-18f9e7b9a6a7", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f22ac809-9944-54bd-9b58-0d147f8f1862", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:79c8cba3-3ca1-502e-85e4-e2def8c241f3", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a049a41b-f3ce-5b4e-9568-df1a46daebbc", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0f77c9b4-eeb2-5b9e-bc6c-8961ae203812", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:071f537f-52fa-5d13-b346-47a966c38be4", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:92ee70f6-b1db-5a3b-9b04-57450a1013ae", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0b49300a-45c9-59bd-b028-776b489ce773", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f2783e15-f72a-5661-bb37-e968483999d8", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:370bfdc9-c9b5-5694-bc9a-5432cf57c88c", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fb03c338-d113-5982-9d17-4bdd1486c803", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a1a0ca36-1de1-5e2e-ba35-01bd90f3ebf9", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:47447781-43cd-57d2-88cb-b9868c33e97d", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:757c1971-42eb-5822-bc7b-76920c82b98a", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:48f0a240-72d6-5573-8642-743b1a5a71d0", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4aee7ee9-aebf-57d5-b10e-b843e2d5fa6c", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b67ff9fd-ce96-56ea-9f51-30409da02c5b", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0391a34a-5e27-5e8a-9160-1c6134796cf4", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:185379ef-ec15-5e19-a1d5-f82f7273d83b", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ad6d11ab-d3a9-5bf5-b30f-25977cb7554a", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0e2567f5-0c86-5b1c-a19a-d948d571ef95", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@4.2.9.RELEASE-tuxcare.4" } ] }