{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:82e6ce81-6a34-58de-bda0-4311514f2be5", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-jms", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ad01e306-1390-57bc-ad08-63d99c7e932d", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4bcead8c-dc76-5c3b-adf4-6a58e36ea1e7", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7843bd5d-2a1c-5355-bca5-cd5444c64d45", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3eef2989-9ba7-5cb7-aa2a-eeaceb3acb28", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d259487e-8c8d-5362-8257-df833d228c10", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:71229b5f-d2b3-5773-9ff7-100da0564f46", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8d64e1f8-4430-5e80-b4ce-ea9abba754bf", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5cb3c3d5-cd88-5656-aded-8869dc273917", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e4431140-85a1-5e20-80de-02324e332f1c", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5a158496-6f50-5e18-9a6e-5e3f9ca011b6", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6d327336-78a4-5b6f-9f06-ad826e21c5da", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:570cfe65-a550-52e2-b6e9-776d9169b59c", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:046a0ef6-5352-5d5f-908f-7393afb046e0", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ed18fcdd-70de-5212-b445-c82e03cd1c01", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8207af5b-a55b-5a74-8354-1a70e4187a4b", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0f22f56b-d38d-5ead-85e0-215109966d56", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a1a76819-689c-5c0c-b42e-a7ab8d469bed", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1db1bb57-e61e-51bb-985e-55e8c8e8758d", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:55975b60-aab6-5e44-8057-3603b4d84e03", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:81375057-5f94-5f96-9323-c9fbcafccdb8", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:14e8a062-6517-515b-ae13-603bcfd03a18", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e3be09e9-3192-50bb-b5ed-82fd9be80570", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a4ff198d-d7af-5ad9-b3c4-2057619c9fdf", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7b6207ee-687c-56d1-9126-99e73f30043c", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8ba84488-c321-56e4-9c69-a7fe9837e362", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9ebab348-590c-5dc6-9615-40f1994cabcc", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6e32cbac-ed31-5e08-b23a-c1e27037658a", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:363e0688-f9d6-5e8a-97c3-c9500439c8bd", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b5f5aa73-8d3e-534f-9f08-afc2a45ccd0f", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1530f384-ca21-5b52-8666-ea5ee6399154", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d0764d6e-f1c2-587c-ac90-e6ffa707669e", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:784af6ec-8ec6-5f53-93ec-423fe4a8160c", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:61046570-99a7-5584-8d88-5dd4b364a647", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:496a4aa8-cc0c-5f96-ad5a-170742534136", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8aad60c5-4472-5b92-b04d-7f43f4522ce6", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7a509edf-166a-51f1-a666-743a694b2ee8", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0a2aae56-02f7-5b03-a982-c3fdf53e8912", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:97168d33-be6a-5bf1-acae-7719474b71a2", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:212125ce-26b7-59cf-b683-2133c8353ff5", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fbe28f33-1b45-51ff-a65f-539a19d755ea", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1c043a50-8ab1-51af-9a36-17877716ecf4", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:781571c7-30f3-5843-87a6-9c54fa3e41f5", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f7e91423-f0f3-5586-a7aa-0d0856622225", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-jms." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jms@4.2.9.RELEASE-tuxcare.4" } ] }