{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e40fa409-10af-5989-afd2-a703315b5fe8", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-tx", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ad0cab13-45e0-54a9-a224-ce17a259be5b", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:eb73e435-f8e4-5541-b994-19d5bfabe017", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:eac636b3-06e8-5433-a1e2-32bf1efb8d41", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:14af43b1-ca58-561f-a907-9ec529920962", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3c376c62-afa4-50a4-90f1-721c9c192372", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:33b3b175-200e-57a5-9eb0-a0de5194795a", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f593651e-28c9-5d2b-b0af-d820f861075f", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:05d1e288-164a-59db-9f85-3dad386b2eae", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e27f5826-3f66-54d6-a055-9aebd412613a", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a8766281-024a-572d-9386-71b2f34240b4", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bc1fe1f5-f8aa-501e-ad91-bae88689d836", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ac35389a-0f68-5774-833a-1686c1802399", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f3a6f8b1-2b4c-5257-9a6f-4fc8a35e70d5", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3f6e6a94-6e22-5540-9c26-59698316beb6", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:966389e3-bc8b-5eea-b6b8-553ca91696a7", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:31fe88c4-ee46-53ea-b09b-3e4989ebd6fc", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:507c351e-9996-51e0-bc84-ea6f8c8171e4", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f43b31ce-7742-5734-986c-757cfca2e3c9", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3ba03326-8bc4-5bee-97b5-504e20e2db43", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f5a48047-7877-577a-b861-46e7217fe441", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0de7b4fc-63c4-5b66-8969-d0aad861bfdc", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:525b124b-cf22-5bf1-bed3-91d319dbc4bd", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:836fb5c9-6090-5c8c-b063-6c7987e58314", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:97ea0b83-2675-5326-96a6-f18fc2d6e4b1", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:34bba28a-b376-50da-addc-7bdfa7f228db", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b4a9eeaf-7555-5656-a020-d3ca0bebd15b", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:46c23fa5-9a98-5570-a3af-6fa52d581620", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:42f9fc9f-d2a7-5d49-84fc-7e0d495773b3", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0e1bf82c-12aa-5c0a-99fb-0295d1b5c69c", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:24f14121-55d2-5d6d-8569-b9fed5ae2140", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:59e5abe6-405e-57eb-bc99-8530f3093254", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:032ad2a6-6ec3-527a-8105-668cd92597b6", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3f7bfac0-62a3-5bf5-9c38-f72391391ea2", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6ab7f47c-3451-5538-ae87-55d7c79aae05", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c1865a0d-a233-52a6-8aeb-3a0cf4fe0dc3", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:182a1d69-d7a3-525f-913c-1063d5ca265a", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:471eb949-adf2-5cfd-a701-f2779032a3aa", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fdf57f7c-0c5c-5cf5-89c2-5e75028dcf2e", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d4b4ec85-9fd4-5b93-a12b-eb212413941f", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:606eb5a6-91c5-53c8-809c-3c3d4dd38924", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3a54c7d3-d4d6-57bb-9572-7d79f4d5a29f", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1f9946bd-fe7a-5a4e-a85e-978b6e85e2ea", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b458d3a3-d6d4-5e57-899d-734c5af61c71", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-tx@4.2.9.RELEASE-tuxcare.4" } ] }