{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:6097898a-b617-5a86-8e1b-f624b2a3a96b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-jdbc", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:97c64aa9-498b-550b-8aee-f261431298f8", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3a934147-1b5d-5b1c-9a5d-937e601dcdfb", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d757b519-5d8d-542f-b749-3ac7dc3bd7bd", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c869adce-1960-58df-a67a-efabe09d8159", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:599ac021-ff0b-52c8-9e01-fa73a5811f04", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f8703b29-1b6b-5e17-b2ef-cef59493072c", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3e689c2f-4d8f-5038-b62f-a0005364fd16", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:de1797c6-ce69-5759-ae09-3b452ea6af61", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:81dfc2ba-b5f0-5115-92c6-da98f422d7a0", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:909645bb-8caf-5888-ae2f-871366c29442", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:16bfbfdf-5f4a-5337-a095-53780b83b934", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4e0a3955-4ce8-513e-bfa5-dab7bd823af7", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:28caa57d-87e2-5df7-9b62-7924a89423ff", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a065f750-d76f-589d-9a66-b20227db356a", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9480d012-c623-51ce-8244-93c40b73336b", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cb4a5eb2-6aae-512a-a996-c4a0c988f07b", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b52e711b-9ef7-5e34-996c-16256de85ceb", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:52bbcf7a-4bb7-5397-a371-9dc8c7374feb", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7b983d4e-0c01-54c5-9489-bd967fd872a8", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:02d401fd-1f61-5f30-8f13-72fdc5abe20b", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:674fabe3-2c02-54e4-a49e-46025466ecb7", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ea1dd31b-2e94-56af-a4e7-430d027675d0", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b2c13a55-d9fe-5c35-9014-92958b22fe66", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3fad5072-67aa-586a-af63-04e6db5566e7", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ae947c2f-4fab-5703-92fb-cef87e2fe5f8", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:15ad2f2a-4ff6-58c9-81d3-dd8468fc932b", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a5138e43-90fe-5eef-9b63-e9d9fcb0679f", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3231cb62-8fa9-5161-97cb-3b7a6f61063b", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cb90316f-86c7-50f2-8c0d-e39671165b0a", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7d5749ea-8f00-552d-990c-7cabcbf1c9c2", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8a64ed28-fc27-5a3f-b42c-fbaaff073e7f", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:55c5c1a4-ab79-5f15-a0ac-f008e3c9c545", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d938f54c-c886-53bf-a7c4-af00e8ac1019", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8ca1fb60-b829-56a1-84e3-b67b7fbd2abd", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3980a7ae-8f1d-5d46-bd19-48d3e24e8347", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0e164ebe-4146-5d86-96a3-912ec321b35d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:972cd31b-3cc5-5b40-909b-2d568a5265ab", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b82bbdf8-6f3c-5561-b7ec-d1c009abf9e2", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f94dc4aa-e74c-5cf6-9348-f45eb72534e8", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:565d144e-ad9f-52d1-b1ad-6b69ed90370b", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b5e543aa-f31b-5dba-b75f-9242bbb6e682", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ed694bc5-ac15-5355-a63a-25ec41ec2cbd", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f639a3b1-8319-56c1-a7cb-8a2f68943237", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.3" } ] }