{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3f76d9f7-b55f-5d17-b91d-e0d7d1a48dce", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-messaging", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c25d4626-6b4f-5df1-96ae-6ea5f24c54ac", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fbd27ed4-3ec8-5945-b74c-c4c51dc3d494", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7420b9ff-744e-55e4-8ad1-a8867bd836b5", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4e303ffd-7d0d-58fc-9924-328317ab8cdc", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1bc2e2dd-9819-54f3-85f9-daa85b47c064", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ba19c162-bbb6-526b-b375-28f076908491", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:afd1aadd-4c8e-57f1-b9bb-3a32336c729d", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1b4793fa-7a36-5792-87b4-247333843f50", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a0ffb3b6-97a8-5b27-9e00-df31f9a86b66", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:deb7a5c3-84eb-54c3-ac33-33ab194e945d", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3271a3fa-f120-54f2-8111-f91c5e77e64a", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:73bd4419-414f-55b2-8cb7-1e7af0d8728a", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6d3927db-7c87-5d32-8d8a-36dcc3e3a62a", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a7d4bdb0-5c09-51a8-9842-05534698b813", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b133bd98-d2dd-5d94-8f4f-d0ad4afc0fd2", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bb228364-74f3-515e-89e6-64050ceb070d", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4734f10b-0a0e-57ec-aa00-dba2cd628b38", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:99847d46-8b50-5854-aeca-0a5ca9b93dc7", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1d697518-127a-58ca-8ebe-996d2bf2dc7b", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:84ba8c98-7b6a-5aa8-b634-2d6fffd0644b", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:316c9720-9e0f-57bf-a928-334f95a7ec62", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:786f8221-7f8b-5ad0-86d7-993a532f9806", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8953c1bb-1721-553a-b9f0-f14762453b3c", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e4843778-37da-5437-8a32-8a8e18c2eb9f", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2d2a3a7c-3904-5e46-90e3-f4a494da3212", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:eeffb575-30e6-577f-98ec-deb0f8dc2706", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0aae3ec7-0bff-5435-84c7-07971c1d9ed5", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f6ba9ee3-104f-5be2-a0fd-3ebdb6b39f84", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:69fded3a-8c26-5d01-90af-2617cb642d73", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5c96d650-4fed-532f-b552-61e8f22efbcf", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:db08cbfb-d45a-536c-8108-aace859b30ac", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a650717f-c5f7-5ee2-8544-f5f9d755034f", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:deb610f8-458a-5ab1-a9c1-fa4102ab6d10", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6ea1b6b5-40a9-557d-99fb-8eb44f6b0ece", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4654c193-848f-57c7-bbbc-e41d19235c21", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:67d046ab-52ee-5e49-b246-d11bf2ae67ab", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:282487c1-58a5-5e7e-a459-47a756a1fc4d", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4cee71f5-1781-5a68-bcf7-574b5f5cca89", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bffd5444-2b3f-5d83-937c-833fb4e5436f", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d1e6dd2f-88db-5ed2-8b71-d443a1bfc654", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0d46df7a-e052-5922-9e4e-a2e880973544", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:651e8440-8602-546d-855a-99ed4b99671f", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:28e53531-2437-5f0d-9704-68193d86f8f7", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.3" } ] }