{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:9d3a4e8f-0f34-58ec-b2a0-9c52555b38ac", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-oxm", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:9bf68635-aab1-55e6-adc2-8b8596e59865", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0351fc4c-b41c-5655-b725-f3504a0f43bf", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a58d9102-a3c5-5f7d-a88e-2ac06a26edae", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:202576fb-1e9d-5811-bb2d-ace3aafa6562", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b9f3c52d-3c24-5de7-900b-927625905723", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ca4b3793-db0c-5d68-8ff9-039de574339d", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2816f9c3-8322-5a26-bfb9-0ade9ad4af83", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4b437e49-a6ed-55f7-8ba2-27260c8ec866", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1ff28457-55b9-5402-b37c-1aa12f5152f2", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:469c763f-ad9a-595c-9d22-2eed7bc9194d", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:53c416f5-a047-543f-b08b-88615833e988", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0e45853d-f4fb-53f7-af6a-b9dbd2856af9", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:504a163d-100b-57f7-b17a-e986f5a18e0b", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dc81faf0-065a-5377-84ba-b9e1d6e2430d", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:de07dc02-1c84-5ccc-b931-e01dd2249022", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a7dd79a8-1594-52f8-bced-11a490760155", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7640f65b-9ebd-5638-bc67-93b9574bfa1a", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3f00c3fc-f4c3-5ff5-9360-9e2e5623d055", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c94849b2-bdb1-5350-a987-f9d39277fc16", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e1ba382a-b792-5ebd-8916-99bea1625af2", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dabd16d1-af18-5431-83cc-6c03363230ad", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:26afb049-86f2-538f-af19-35a12acf739a", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6dc61b13-124a-5cc4-b177-1d21b07c12f8", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8a108f73-48c9-5d04-bccc-6a15c1441c1d", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:53e1a042-0fde-5ddd-8575-9254880a7b82", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:23fe5a26-ed44-508f-b252-cde045162dbb", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6344a55f-d35b-5efd-958e-fb05a65e0153", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e8f5e250-29a8-5eed-bc84-06eb188f6180", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:aa98c244-550b-56c3-bb33-7fe474f1c2b1", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c10dc7cb-b592-50ee-81dd-c57e79aceaab", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:814773ef-c025-5b9e-8fa8-5bcb215dc897", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e498f675-2cb6-5ad4-948d-938acbdc45c3", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:10fca9b4-e6fb-586b-ad52-0c4be505cfeb", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cdde5e0e-209c-5b63-8ab6-4a009af780a7", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f002db73-2b4b-5b11-a84f-ce5134afb3ed", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f3bab9e1-cdba-5898-888c-ea8b38e8380c", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ea9d01cf-e1fe-5ce0-94fd-ef08f29d5abe", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:23d87714-81bc-5116-858e-fe63c1e112b2", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fd03f653-2e31-5f2f-afc0-02f71d666284", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9e94e924-2fe8-567b-972f-f87d00c80723", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:758cb42a-857c-54b8-b5f5-c40a4abf7ad4", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:da664f3c-381b-5d3e-8fe3-e60b11ea4af9", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:520a6fdd-0ad4-5360-9735-bb5d6d53a50b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-oxm@4.2.9.RELEASE-tuxcare.4" } ] }