{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5b3d577f-1747-56bc-9c6b-bede7f68495b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-jms", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:e16e17c9-d152-55a1-9697-a023330631a2", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c109d3f7-e4ef-584e-a364-152b51f6282b", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b4baebdb-9bf6-574d-9191-00d60b78d2b2", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:78356b24-5d35-5422-86f1-e30a7a09e8cf", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a7b3bd61-1764-58ab-a6bd-73c65f333d14", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:89014eb2-7af5-525e-885c-d7eb10ce2727", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4d4a4d37-905a-55ae-bffa-29e11a56ace8", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d5768136-a581-5932-ade3-c1c70c99528d", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f00d4c01-abba-510c-af3f-be98d29d7ea7", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:adeaee90-153f-5809-9f53-ab5f2155fb9d", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:18df4561-006e-509f-98f0-ffb4bfbcf160", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:257bbd16-7579-568c-af0d-c01f56683044", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:584329ca-2141-52a6-95ca-f2e5dfb21309", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:50d6bb35-5a90-5c5a-b5d1-eb708d570951", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e3f37d52-c24b-5851-94eb-7f15d0825e4c", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9ec2f44d-090f-55da-bb83-e09f5216dd60", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e137bf14-2062-5e1c-8049-5d88f79e0102", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f5cd8b14-73f9-551c-a801-f273e65bffb6", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5eb5364d-9be4-587e-8e3b-41a86bd86782", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:96e472ba-6a66-564b-a06c-1471f67b1a76", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0b0f099d-e51e-5f52-8a33-e85de94e7600", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:587a881f-129c-5432-ba1c-c3f768c1ef23", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:30d58637-b447-5bcd-8824-33a47f2490b3", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bab8c7ac-85a4-5e59-9ff4-65e6314329f3", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d3d57bf3-a69a-58ba-b356-ba3be7e4e4ea", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d88fa2a5-dea1-5f5e-b928-914cc66b799a", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:365df09c-7252-5490-9aff-eef24467dac9", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b6c988ff-c230-5227-b168-5d41ac5f18eb", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bd0623d6-33e7-5d04-bf18-d6c805484316", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:deb9c54e-c49e-5cf7-983f-35ea6e1a0d0f", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dadef37c-a1f7-56a7-990d-9933b3102a88", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:eebee696-eb56-5798-903b-a5f7297948c6", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4fb0b7a5-eba4-5190-99db-941f77313e49", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ae42451c-a8f2-5cf6-9140-f0af29b3741a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9887200b-cbc9-5e80-aaec-2d28ae2172d4", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dc49113f-9871-55ec-99b8-25c290cf49c8", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9ff3f3da-840a-5ebd-8851-325149ec3974", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:693da436-1176-59f6-a911-321c49e15fb9", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bf1d5816-4178-562a-ae82-abb58894292c", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:108fafcb-ca40-5b6a-ae65-9700f07d6e40", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6081b4c2-9a66-509a-a1bc-369d2fb12221", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5d6e98bb-e6e1-53d3-bdf2-c92be8bef62d", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ef8efed3-f4b9-51d9-9f06-57d0e6058b74", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.3" } ] }