{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:27e0bbe3-3753-5137-94ff-1e0572fb22cb", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14", "type": "library", "group": "org.springframework", "name": "spring-r2dbc", "version": "5.3.39-tuxcare.14", "purl": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:acfe9063-f1e6-5e25-95b6-865e84228292", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:cdd7bfcf-5bec-58e3-aab6-1c4ad3090210", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:a0681b81-a589-561e-b921-5e67dc004e45", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:ec01e3b7-e272-51b2-b38e-bd9cb9f4fe2d", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:25799ad6-1f34-5c02-8340-51fd0aebff2c", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:a22dbf93-3c77-5bc5-ab83-3ad5f163de58", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:4235a5fe-b921-510f-bb4c-4672095d63b4", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:d2b3972c-6ed0-5a9d-adb2-077a9784d259", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-r2dbc 5.3.39-tuxcare.14." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:4cefd764-00a2-52de-905f-d5dc6c396973", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:6df74ddb-fd6b-52a2-bc6e-caf448835973", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:e97e3fe2-574f-57e8-8eae-de842b7fc264", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:99b2a59d-a661-5e84-9591-4e80904fd54e", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:149fc386-40cf-5b6b-b39e-f7a27501191c", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:6771d2ff-cf5b-551a-8c90-771b4cdca881", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:466d9db4-b99e-5389-bb89-abc2d26a3518", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:11f87f33-f627-5475-9540-7dcad11eaddd", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:1ef50bbf-735c-5eed-863b-e948c6208daf", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:3cfd6241-da8f-56eb-84ad-f30e8577bcc6", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:bc83b106-6f8d-5881-8f03-c8c4a40dbdf9", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:9dd2bb0d-22d6-56f9-acdb-e3cd1cd86a5a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:9c916e59-90f7-5199-87e0-9dbbcb5185af", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:b011d808-8c37-5f72-8c0a-af835fe89451", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:05d1d4f2-3a63-530d-9f12-87d015d5b159", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:865f325b-0863-5bf3-8c43-8c4d3b135111", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:24ae25a4-a3ae-574e-9fe2-4aca8f3e628c", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:4fbf3cba-5069-59db-8672-5e4977b5e7d8", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:59791f7f-6a9c-5cbb-ace8-a837800f0f46", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:206ca218-3437-5f2e-9654-9a482f369593", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:df475ff9-a7d9-5f8a-a679-df0672174f03", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:1c704207-d9a5-5c87-8b59-1eb1d5702c8f", "id": "CVE-2026-41851", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41851 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:08c8cec4-66a5-5a61-87fc-ff4b2e38a642", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:4a25bf89-b011-56c4-a98e-109f7489e91a", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:2165ee25-5933-5b0f-af3b-8006fd55fef6", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.14 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.14" } ] }