{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:d3627105-3104-5073-b3ce-69e6ba89af91", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-test", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1c383649-fbf8-5819-b508-59424748f648", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ecfa6bae-d87e-591b-b8ba-5b918b86ab6c", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2beed96a-0dc0-5ead-922d-2e1a861426f4", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2d582c2a-25d9-58cd-a08b-10c05d075d03", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:516db905-b668-5882-885b-23c7dcc91a64", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d35a72b8-c6d5-5aa6-bbe8-3003a962cf78", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:873c6f6f-40ab-54b6-8ab9-631876f46187", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:43bfa947-8029-5911-9811-317cdcca9bad", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:aa57b66e-b120-53e7-b10e-d5c0327bebb2", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b6286dba-365f-5fa7-ab38-0218993d0b56", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:613e3e99-6b04-5d72-9782-060c15ec65a9", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b3b7a7f4-507c-5ecc-ab9c-fd130d7a4b10", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:95dd5c2c-d5ab-5407-930f-1ca290170c87", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8522108a-6119-5df0-861d-03616f686ef3", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dfb1162f-387b-5ca6-b68a-0019428a422f", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e3514f37-e587-5c11-b303-f81508e8e0b2", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:75cc35b8-e0a0-50a8-90d1-9a9f36f5871f", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:78f3ebf1-aa3b-5f45-8980-ef71c6392292", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4a023bf5-a2f8-5cb6-a3f1-c3ca152b09e6", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:060a34f2-34de-5b14-9bb5-9b572a8c6c61", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:602c522c-7e29-5c9c-97e2-b12994039664", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:47c5ca6c-1ed4-5538-bd0b-49a3fdd2bec1", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:06bdc5fe-653c-578e-82b3-eecd2d420873", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d00e4f75-a0af-55f2-a0b7-5f4494122e68", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2463301e-43d0-5dbc-a41b-dbccfc15cfd1", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:51e0e841-e785-5f2c-aaa0-91ea2fcbd407", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:24170c9c-a959-58fc-914a-782d5915f064", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:23ab298e-e2c7-599c-8553-1b2be32e0e19", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:06ec2cc0-2f3f-5e38-9c7c-31526099102c", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:00057d20-1243-5505-811e-1a37b2778618", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2bcf910f-95a9-5576-aa90-592e8800e726", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e8d5b394-7d9f-56bf-85ef-07f604c0c42a", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3e68307f-448a-52cc-8b04-db703d888589", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0a17c23a-388d-50d8-9a5d-4ccf2b40ee4d", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b61060d5-8af0-5ab5-b638-6e88cc21434a", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:35b1741f-0f3d-53b4-a604-bf228f1b70e0", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d48082fe-b00d-5072-828a-f64af3999f3c", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bdf1a2fb-e068-533c-8f5e-df8d78ba2150", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dbeb1f1d-b53d-5c14-baf2-9ec7c5ccf7bd", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:809d5cf4-8841-53d8-a7bc-ca94a485c829", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ced61df0-9f7f-5e58-8645-099f067077d2", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5fc728b9-e92d-5b97-a7f9-e19cf7c1e6bb", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:21409f3b-f80d-5041-a0a3-02f757c867a4", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-test." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-test@4.2.9.RELEASE-tuxcare.3" } ] }