{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:1220cd84-d925-5552-a838-964624d40d34", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-messaging", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:4f5475f9-eb09-588e-8d63-bde48e3a6dda", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d5cb4f61-49e4-5f62-975d-b23670cf4456", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a478332f-6458-5257-b7ea-e27ef4608442", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:991eae14-feb1-56fc-ad62-96d4bad89243", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:468be7a4-9d8b-5ad2-9597-c79244b5d76b", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0d091a4e-47d4-5d9d-9cf0-f7de56cfb9cc", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:addc443e-2200-52b1-b4a5-96cf328cfe71", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b69c56b2-94e8-5cd9-bfd0-8930a51df176", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b9dc31e1-5955-55a2-be71-8da63b3d24e5", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7edea48e-5913-5463-9ff9-3767ec5101a3", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ca39c5ac-f2e0-566c-a871-de17b6d6b3a7", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0844f617-db48-5cec-af1d-db74cb41cadb", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0a368439-b3d8-54d0-8a98-fdbaebc16524", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9ebcb0ce-41a6-5300-bd5f-cdc656068073", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:770293e5-fc17-591b-95c5-afa26af64378", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:26f3936f-bf54-527b-b9c2-17e6d50dddef", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:60ec560a-1cb7-5b4d-b723-9d9b017c26da", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:51aec08a-f828-581f-abdf-dc8bfd11e9b5", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ed006b71-744a-511e-9ec4-ae27f20c2906", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a4e790ec-420c-5b1f-9f41-7ecfebb833fc", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f349b162-e06e-5ec9-8174-33cc12282912", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1986ef94-412d-534e-a295-e0f2deabc5d9", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:14486f14-5fed-5b7b-8da8-32c5bc5a11bb", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bf55788c-aed9-5ebd-bcff-1b83809f3dff", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6a586bbb-600b-50a0-992a-9bbcd0af23f9", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:11ecd9b3-8489-57ff-8918-e77b1de107e9", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6ef546a0-46d6-5c8e-9a75-17010b1f5e94", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9ad21c7e-e58a-561c-a540-2f0da24f8444", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d762a075-ee65-55a4-8fd8-cb25f92e4baa", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:db9bead7-ec0b-5333-9118-0766d6d489ab", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:452d0653-9aaf-555d-8daf-48e368fbe0fd", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8bdb51e6-7c1b-51b3-8acb-f8efc0c65563", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4da64cbb-7172-54d6-aae2-0127c65bab25", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1fdd0440-b71b-5c67-99e6-ff424e5c7417", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0b2f5be0-9a30-5ab6-a736-ccd6b8b62088", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dc8c5c38-3349-551f-a760-6714647d22d8", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d7d6735e-74cd-55aa-8a6f-ae3e0f712f7d", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b9aba545-1691-5c19-a460-cdd34723fbc5", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fdd92fd2-d938-5c57-bb40-ff25c3ed2ab0", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e942ea44-6831-54c0-b3a8-f19594ffe850", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:77214d88-caee-5ee8-9f82-d019d55e35a9", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a4f47699-8632-5f99-947d-a8ead8735e06", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:39fb0e7b-5d66-5b36-801f-b246c0d72511", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-messaging@4.2.9.RELEASE-tuxcare.4" } ] }