{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:97cc18c1-7505-57b6-937f-2c5cf8169ee4", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2", "type": "library", "group": "org.springframework", "name": "spring-orm", "version": "5.1.20.RELEASE-tuxcare.2", "purl": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:601d32b8-8737-5411-879d-70b7371a89bc", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4a9e4178-2755-51a9-9bb4-561269081882", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5e505e36-21b9-50bd-ab7a-bb82acf331ae", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:927ff81d-17ec-596c-be57-2f4d427cae85", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5cdb0d5e-e259-5f3d-ae4a-a91cdb26e077", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:245d6ec2-afb9-5726-a095-7e84fa7f527f", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a5b55b42-b1f5-5555-8b06-35ea44458531", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:375802b1-ef40-5dfa-841f-2e2d7c036d6c", "id": "CVE-2022-22970", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22970 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4094d740-af8d-5740-8933-673f8168dec4", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:00bc4019-5af4-5afb-a8a0-e05a1f131f52", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:05f806b3-cb51-5d28-aaa0-0d27f0c76a4e", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9466e66b-8c00-5108-bbfd-fbea4f637cc8", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e32ff99a-4c7f-5e5a-b7cb-000d05a0264a", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:549961a7-591f-5ac6-a3d9-9609d00b9e1c", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:12a0e67c-93c1-5663-a9bf-9b3e0d82f6da", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2efa8944-8ad3-56ca-a1e3-d20164556786", "id": "CVE-2024-38809", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2024-38809 is a false positive for org.springframework:spring-orm 5.1.20.RELEASE-tuxcare.2." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4216197a-2dac-5636-ac34-d661bed1b859", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:89c11b2d-b2d7-5cbe-b39c-bbe56e945aac", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c7182895-8ce4-526d-8829-72f3002e2638", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b20e7c1b-81b8-51e2-b0c0-e145772b2f85", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:11011cf8-4087-5425-bf39-2b4d9af64182", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c0343e04-3f0b-5e48-8478-cc676ef92a96", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4e84ec70-6417-5974-a14f-8966afde53d9", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:24bd6258-817f-5165-83b0-b4fea53a6bb9", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d3b54c07-dcf3-58f3-820f-0ba94e4b998d", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:01f2270d-46f2-53e1-98c7-990bbf2ac6ca", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ba22c866-1054-5cba-aeb4-9b914e3c865d", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0a76986d-e8ad-51b9-aca7-ffa425a9e20a", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm. not_affected \u2014 Spring Framework version 5.1.20.RELEASE-tuxcare.2 is NOT affected by CVE-2026-41840. The target predates the vulnerable architecture (PartGenerator/MultipartParser) introduced in Spring 5.3.0 and uses a fundamentally different multipart parsing implementation (Synchronoss NIO Multipart library)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:40f06d84-b144-5313-aeca-700dbd61706a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3a1427b9-bf50-58b6-a573-7f257a44015e", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d45fcd85-e80f-536c-ad58-751810b8b080", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3875d49d-aca0-5f11-a24f-e530516832de", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:354f3ec5-70a4-51db-9172-04143b5d66a2", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8d9a8bf4-2397-5d6c-8acf-4aced2dcd1bd", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:959c682c-2499-5b67-a144-b5c8c01aa4d8", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:449d99ab-1c71-59d4-bc19-77298960a5a4", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3c4ab3bb-d561-50ec-897a-1f3a97a6b67b", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c451deb4-f38f-5e51-8022-679e750f54a1", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d04143e5-7879-5227-b3ee-6108ee459434", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2ab9f06f-b158-5ba5-a472-27530c58fc89", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4637e0d8-f551-5da9-8a34-d6df5f9cd060", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm. not_affected \u2014 Spring Framework version 5.1.20 is not affected by CVE-2026-41853. The vulnerability affects versions 5.3.0 and later, where a new native multipart parser (DefaultPartHttpMessageReader) was introduced. Version 5.1.20 uses different multipart parsing implementations that do not contain the vulnerable code." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d1106fb3-fea6-5e6f-9d52-137023a9f7a6", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.1.20.RELEASE-tuxcare.2" } ] }