{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f98a42d7-12c0-524d-9b43-9c399b15fbc8", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-orm", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:0b4315ea-9335-5e65-ab15-8fca2e028908", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:234d4a92-b435-5e41-b893-12c0b9698020", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:afc5c75d-1963-57e1-be84-647ffb5007dc", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:47e2213e-6be6-55a6-a79d-fff1049d6735", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3a60a7fd-61fd-5df6-9001-6252ecab0383", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:aada5945-5288-531b-b773-2077e614618f", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b924fad7-7acc-50e5-a33e-3dfefd7534c6", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:78f21c8d-55e5-530b-9a38-357288057ef4", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b485c556-5416-54b5-b002-5dfd210b871e", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bdcd551e-727c-573c-935f-bf2ee91c2d15", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d266c465-ac2f-5b50-8870-df06f4322c7a", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f82b8e1a-4ee3-54b9-a12e-50ad3fd08d83", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3f5f6406-d78c-5148-858b-de6674d5b266", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:10c7efb6-dee9-56c2-bd1d-a96dea6896e8", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e1077450-27b1-56ff-8a0a-e6d45e07322a", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5e845b42-5ee4-583c-99df-87a3e9e16a8b", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:86739d53-cec3-5641-9081-001a0f31bcf1", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:818f56f6-b2a6-5590-9256-f9fc7b5a714a", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:eb118dc8-3d7d-57e4-83bc-e2d390473d31", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c591747b-66ce-5857-a7b4-da2af9c426c8", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:99a92f0a-f70a-5c8e-bea8-e37fc6d3e980", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:92cafaa0-4aea-5e31-9105-2beaa40a6d00", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:94f1102b-2992-59f1-9867-e85c2ddd6e80", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f2924c3e-4106-5be6-9efb-5fdcb8b14694", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3ccfd14d-3867-5d46-b1aa-61c520f43072", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:20a551d2-d8cf-516f-9faa-fb1579dad932", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:59edabf0-fc43-58c0-9920-9103ba9b871e", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:86fb2048-85e5-5694-a248-7895c34e57f0", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9931fc87-dbe6-585c-a991-ce8e3ade35e0", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:13f6586a-583a-5185-a96a-a86af77219be", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:eff6d225-9918-5eb3-94a0-e2a78dd2d625", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ec12bf0b-d829-5151-a1aa-c37239f08328", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:86e4d35f-45c4-51f4-b529-028d70a5af9d", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:20fd6ce6-6f6e-53df-b154-0e61bce6fce8", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:222cf7e9-ca08-51f9-b873-9821788d78cf", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d6bcacf6-2aa2-5147-b310-cc17ac40c908", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4effdfc7-dec9-59c6-925e-5225650087c1", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dbce3f89-8608-5c40-98c2-d662d199662e", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fd7f7fac-b644-5f0c-8085-643230579145", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:362798f3-0843-5e85-b00a-ae2f66a1fe9b", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:23dba6fa-aa13-53fd-a91f-ffbe69582abe", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1bae13ca-485e-5ffc-889f-e06af32998c3", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4cd749ec-5d18-5f34-9d77-0ffc1057400d", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.2.9.RELEASE-tuxcare.4" } ] }