{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:9fad8834-c31b-5c16-9b6e-54a950415932", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-jdbc", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b3239f1e-3632-5d6a-bde9-9d3c64e8e1d6", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:091523f9-1ded-53b0-a0d0-28ad3b9cc327", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3d936adf-7cd5-5049-83f0-6dbd6ba7e014", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:39274d79-3a8b-5279-b309-84d711ed860b", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a9bae2cb-2359-5a96-a796-91ce60a550c0", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c089f40b-371c-5e75-a7c8-fb1eb3445456", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b9b202e0-f811-5caf-8228-aa21e5429af6", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:655eb154-9ba3-5ef2-97ba-51b1b516759b", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b0a8917e-29ee-501a-af6e-56b76ebc009a", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:aff5272c-706e-58d2-99ca-73f0c6cc4a5c", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b9846b47-7a69-5c1a-9f41-3f7bc25ffa64", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a4791ef4-c168-5fae-a096-fa1430f7b89e", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d54727b9-c0ba-5d25-9334-81679a51029a", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d21bf99e-960f-58a7-8bf4-76654fadc4d9", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:84f25f53-53cd-5386-a3bc-035368a8257a", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:40f63db0-0143-52a0-bd0c-a01ed6961a85", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c7c53851-dc6e-56db-a1dd-e5b20dd67593", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:58b1c85d-fd42-5def-8210-358288850172", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2bfcd89c-44c6-524f-9c95-27636fe46658", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2b57218f-b702-59f8-93c0-eab29b2cbf79", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3fb2b7cd-9649-536f-9bd8-8ecf0db743fc", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ad834c2d-2ae3-5448-8f10-a52784b71f90", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6bf5d4d9-edc2-5923-9079-2c57c953a4b8", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:76df3b6d-fe27-503f-9d0e-ecf7a6040e83", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c79e6d16-1440-504e-abea-ad91f8bae3f4", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:67b793b5-c797-565f-9c42-8e8775866f96", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ac3b9245-32e0-5a2a-8b07-7e3d0cad7fcf", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:82a1fc08-237c-52be-8411-2c698c82e5b6", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5650216e-e4eb-5c55-acb3-6bb0ca70930c", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:806e206b-4206-55c9-95c6-24c7f8a98b31", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:40d0f3fb-364c-5536-b411-2f8485f80719", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:94b7c18f-ddb1-5083-ab14-22b243b87844", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2de64142-68e3-5886-bf21-b4ff919ac240", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3ffda1cc-2215-5611-9fcf-b5bd8fb270f2", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:de867101-c88c-5c4b-b1ef-829e1f29051d", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c3aed5d6-d011-5aa4-b86b-9b8d57c00c50", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dda3261f-ba3b-5a6d-a0db-633662fb28f2", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1f8af772-d604-5f00-ab0f-fb9e05518749", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e22094d3-198f-56d0-a8c1-0535623dc92f", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:abb58b6d-8cdc-50eb-8bba-dc8c520577d0", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b213fdac-2dcf-5587-992e-182b7aeef284", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:147a0249-10c9-591f-93aa-cd7b8f5972f4", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:76e9ab7d-c938-59ee-8534-466144908aa1", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@4.2.9.RELEASE-tuxcare.4" } ] }