{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a7cef711-06dd-5a12-bcb1-2924e20a7eed", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-tx", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:29b5ef19-10b4-56cb-808e-8f609a1b58df", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9b60037b-8fe3-541b-9e2e-3200658cc528", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0ff59ca7-1f43-58b1-ba67-f719b4edbc42", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e33d63ba-d3c9-568c-94b9-a8e44d9f5695", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2a8cdf7d-55b1-5129-8313-d3c36f861a19", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:74475fc0-7fbf-5dce-8576-12759cd7b26c", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:50d7a636-bf7f-55db-910a-7c456dff6560", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:04cff172-f41d-59ec-af30-cdab15ef6124", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cd4b9d33-dc77-54b7-b032-d5d5ce801c37", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c86f4f89-a330-5db5-ad97-2811d1b14d17", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c03567f5-52f5-5a24-becd-07dfd59a757b", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:641ca077-bb7e-5068-ac96-149c62da823e", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c7391785-6a8c-5472-9d9f-c6c07cdbb2e7", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3cc229e9-e9ff-5466-a990-07f2c5b20538", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:45ea001a-c938-50b3-8414-0539c76307af", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1f743514-1007-5854-a795-768def62214c", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dbd62096-3fad-5d9d-8fbf-90fa2ce434c0", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fca2402d-7256-5fc3-86a4-232356d30231", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9a820749-9232-5edc-a27c-fb7502d9a082", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:610abcc3-7e0c-51a0-8c0e-54f0bbc8e0f9", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d969c2ec-3c58-54a0-a9b0-3295b23e24f2", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b9a6e00c-3017-551f-b90d-f26624bb2374", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:03b68b0f-cb59-55aa-94b9-60c67b009dc9", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c77c8db1-461a-5737-bdd9-e24075458e2c", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:402f486e-9fb7-5d2e-954f-8478a210050d", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:12f1d1b6-4aba-5394-81dd-a44dceb9f542", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bf79831b-42c5-5fe8-a1bf-17fc8da8d32e", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:98efde7b-0f23-5421-a748-6385e3a71382", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f8aea466-608a-506e-ae60-f4c3a692ccac", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:121e6c32-1869-524a-b7f9-9cc488e2fb91", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4cf55b3c-8ac7-5a39-bb56-d22112b12063", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6606391e-31e7-5e75-be02-5cff20f61f5b", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8ec3d975-755b-5384-ab6d-43ee1f98d71e", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1b04d442-be6a-5205-9351-0bdf28275aed", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7acff3c7-7d8c-5005-9f7b-60cb119417e1", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:88817e1b-26fa-5b80-8a39-0052407e519b", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:17f80161-6ca2-5d03-80ef-cdd661646021", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9ac2d53c-789b-5460-9b02-749d5482d291", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b6d14185-59b1-511e-b29e-0d6cc0f855f3", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:70537c8e-7564-5629-abf9-c4e26cc54509", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c26f618d-8b92-56f7-90c9-07363743ddba", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ece73766-7384-5706-ab01-3d067fa9c0ba", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:82cfab90-cb2c-5ebd-a356-009946a2abba", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.3" } ] }