{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:24825a24-5b1a-5ceb-8d94-e63733ae21c1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-oxm", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:aa0f4cda-aa66-5e24-9ea0-35e990164a88", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d3bedeb9-ec64-5fbc-9ff5-69ecbe8b524b", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:230f9fb3-eda0-545a-8911-1a8e183a4cec", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:34e50056-e1f1-5850-a403-34a66444181e", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:114d038a-cbff-5af3-bc5d-0fe3f78aad67", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c98bf5a5-bf78-5821-92b7-6ea699b2af2d", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:abc4757d-6542-5209-bcb0-fb4f260b060b", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ed85f064-9a70-50d1-974c-1046741da2a3", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c82f7e49-a836-5124-9d3b-8043014bfee6", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:28c2e180-39e4-53b4-95bd-d68d6ec1cc9b", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:482cfe38-c28d-5c0f-bba5-7657dea2e2cc", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:44ced675-2b50-5d83-825f-7736dad6456d", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e892bd27-bf64-5b79-9439-b4ce499c7779", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8051beed-a6ea-5c65-85b7-242b77bb37db", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f05303fc-1e05-5ec9-a640-265e19aea016", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a9492c1f-5550-51dd-9e8e-b76b4caf91b1", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:184d5aee-a0ed-53d9-a1b3-43e7f32ff16f", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a42e8e26-8dad-54fa-9b74-d25dc8ce4b79", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6b8203c5-ae7a-55d9-a3f0-8e49ccf2c537", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:95b74d3f-44ae-56f2-aea0-09b47d22ac6b", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8b9214f5-8af6-5638-aa68-4419b9b6cf2d", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b0a94bf0-e8f2-598e-89b2-757edb1a72a7", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:69ba5e67-607b-510a-b25d-85f45966a886", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c5d230ae-554d-554b-a05d-584b83413ace", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ef1cf257-6c74-5dd7-9521-9b48462c1c8c", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:db0339b1-2c9a-57d2-aa9d-37958a35ec7b", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dac8d367-2da4-558f-a264-85ed216e2a8d", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ef7d4ed9-ba16-5bab-9f71-9d64e632d6b2", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dd86a21f-3413-5046-bb8e-563b7529afd1", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4506b9af-5e13-5bdc-8e2b-9cfa0ef2e3b1", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e13a61d8-c254-5a0f-bca7-8310cecbd94d", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:73c5a249-5224-59c5-965d-10eb3f78aad6", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ed94e799-abc2-569f-b95a-84f70ca15bfc", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9c77d8cd-66e2-53fe-a48e-b901226f6dd3", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:329be483-85a7-52ea-923a-e97cf3fa9cd3", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0ec1e14e-2094-598a-817e-b4662aaea352", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ef912ae3-2f9c-532d-890d-5132a4a065a8", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a238aa0e-feb1-54c4-9421-1a10ec369e96", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a94bbe2f-2976-5f90-96e0-a75d7520428f", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6562ff13-0f5e-5d88-95a8-299aa6533c6a", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:efa2e2ca-9a71-5dcf-a209-6d7cf071464a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ead08c7a-00af-54ff-a984-4daf690f1f40", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9969f95a-6614-5853-8d35-1a8c299e6b03", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.3" } ] }