{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:56da7945-3838-551c-a5a9-e51128a88488", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13", "type": "library", "group": "org.springframework", "name": "spring-r2dbc", "version": "5.3.39-tuxcare.13", "purl": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:0ea8eda7-d2f2-5d62-a8cc-937cff42edb7", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:9fcfe20a-e188-5e26-af5f-95cd7b6041ee", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:c0497a4a-a085-5a3a-9ce6-709a5d118cfe", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:eb5d15b2-9311-5509-8d5d-19fdab539eb4", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:37a6060d-7a1a-57d6-8e01-4df0242ffa07", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:fa5bc07c-5d39-5544-ae4d-860d14cea6c5", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:c3caa606-39ae-55de-923b-308e2e7bf8a7", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:068be2a8-6edc-5ef1-abc3-8a9a41c5b42b", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-r2dbc 5.3.39-tuxcare.13." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:f1553f22-eae5-5747-9c37-2023b9a05ed2", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:d503c73a-843e-5c3c-bcc5-8be427d33c49", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:61b04b04-3bd0-5cdf-9656-79fd46813ea4", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:cd8b098b-600a-5584-bc4a-db799ad2e0fb", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:8a14baae-4dcc-5109-a45a-5b20ae1befbd", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:55f110fc-e0ff-5ddd-a1a1-d73d754aae3b", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:3f7916ed-889c-5ef0-8a4d-b3720b994f63", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:d58a0a66-8e0e-56f0-bdbe-da596a7ffccd", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:5e39fc31-1b65-5d64-86b5-877a0faaa15e", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:8f7cfb84-3835-5e07-84ab-5336a82d640c", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:4d0917ab-8e05-5a4d-b874-4e2831178802", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:29ca3fca-19ed-57bb-b68b-f1f72e3d889f", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:6f02660d-4156-5ceb-b6a6-d9c6d65a6517", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:90335acd-627c-5235-a37c-5e211b663635", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:ec6c1172-4543-59f6-a1b7-6e2339d68a11", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:ba45ffcc-eb4e-536d-8e9e-dc3b2d72b1d7", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:3b3edd38-b443-5ad4-834a-b1157aa45391", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:53470494-fa4e-527e-aba6-4248baecb195", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:825fc57f-8522-5915-9c85-aa02ff0fbc91", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:faeb6e15-6214-563a-9fd3-e16ddca48c19", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:219ea1d0-6a2d-5eef-b21e-1e8a1e1ef6fc", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:eb596c90-e5ea-5d3e-8357-3924678747a7", "id": "CVE-2026-41851", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41851 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:ed84fd3f-2e9b-5a70-a239-97e56dc81766", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:a0afab30-a45c-55ce-a1bf-263fd81c5b84", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:e094847a-538c-5c23-a07b-bd45dc41d9ae", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.13 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.13" } ] }