{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:af77311c-5fa9-541d-912c-db4ec2eb5257", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14", "type": "library", "group": "org.springframework", "name": "spring-orm", "version": "5.3.39-tuxcare.14", "purl": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:cb0c78ad-a1dc-5a9c-b862-f342626d76f1", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:bb144bb0-49b8-57db-b6a9-776ef419780e", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.14 of org.springframework:spring-orm. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:139af1ca-9309-5b16-b10e-d790b761250c", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:321c4175-6b3d-54f9-90fd-8b8186b5b983", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:bab0f908-67d3-526e-890f-62a73e6f99dc", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:807ea029-152d-5709-a161-279b85ee266d", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:aa6f7d50-5060-5f83-be2a-8c0e1cc8a08a", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:102df3b5-3008-5f3c-bd43-d7aed7973ef3", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-orm 5.3.39-tuxcare.14." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:f28ba5d5-8c44-5646-81f8-ee923865fd12", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:1b2c0f6c-d9cf-5c2f-8ced-66e1795ece48", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:c44de12d-8afe-5afc-ac93-70f036189ef1", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:c7ab8fa3-c1eb-5907-92bb-c0a4b3c871c7", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:5d4baadc-daf8-5ed7-89a7-ec3dfb2babc9", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:1d22be21-aeb9-5ddd-89ae-fb153b9b92f0", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:5e7c22ab-3ffb-54ab-98c1-6a537ae82e05", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:3be87b30-7e09-5439-a472-4ced5b2e6e33", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:b666b734-9ece-5279-aa71-2857a674aa01", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:10619665-33a1-582a-a842-469c4a83d8f5", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:44108b9d-ab2e-5307-9e54-9784ce77c345", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.14 of org.springframework:spring-orm. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:523f0511-1228-56b3-ba55-1f736e6a30ae", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:4a90935e-ce66-5435-873c-01b006c1629a", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:bb272761-26de-5ee5-9030-4b0caef277f2", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:c18f9d61-6a71-573f-ab8f-e7c724f8ee32", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:a8a0491a-fbcb-57bc-8b48-7382f1ae42a7", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:d20cbc58-6709-5385-9fb9-34255f0ed315", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:95df9f30-22b4-5b18-ac47-b921a4198f36", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:fd78bec2-741b-57e4-af15-bc4ffcb129d7", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:05a589a8-32fc-5c98-86b1-9ea7e39a80a2", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:2e23abbe-d253-5131-ad6e-2ea2fa1e3e66", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:d487be2a-b750-5a38-9673-f704e9f7d228", "id": "CVE-2026-41851", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41851 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:3ce11c80-2dbb-5e36-b4bc-87345554cb8b", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:f588d2ee-b420-5d52-9e92-d00f2c19f912", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:765c06dd-0e75-51d4-b5e4-2bddddd463a6", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.14 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.14" } ] }