{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a8110f4b-c8ff-51d5-a1d8-223a2f3b1d63", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c2cbfb22-79f2-5e49-b40b-f3572ffb1ec4", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:afb7dbd1-469b-56b9-b45c-ae367ac834de", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:755c8169-5142-5706-804c-e4533286f973", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f8305691-2aa8-5d50-9bbc-86bef4933da9", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0d350269-e506-5e9a-954e-10d77dc52585", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f26ba2a2-998d-5798-a127-b433b84b4236", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:82a9f338-830d-5987-8dc6-620757046200", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a188d538-e012-531d-bf7d-c47a790dc0d0", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4137879b-0adf-5fb5-a7f2-a81f7749e1fb", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:16995277-8db5-5a45-9330-0442cd030738", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ea087c81-fbef-5ada-aa35-86c3f2abbdf9", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e0c8fa30-61c6-597a-84e7-752fc471359d", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b4fb044a-fb11-514e-9cb8-6f0d6029d40b", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:80209620-ca94-537c-bfa4-31baf416c7f2", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:60b78401-8376-5846-b3f0-dd0326d34254", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b0854368-74c9-5e4c-b161-80ea0fc8c944", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fd5c6512-3520-5476-acc0-7c801c68a053", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:839b3519-4119-5b85-9dc8-2ba1434f64b3", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f30583f0-1feb-5a9d-81ba-76d45575c8ca", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0ba0e537-65db-524a-845a-b499eded477c", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dd86bc91-0dad-5925-963c-07b9cd4ecb75", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5fe81ed4-09d1-5fe1-8b69-77c862fb523a", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:83b8035e-ed83-556f-b3e3-2d9b2c215b5b", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8af22e8e-c9e5-5436-8e7e-3988e969179a", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:05668bed-33f9-5a35-80b0-1e9dddf1c0bd", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b28b87a9-b86c-5b88-8623-51c6e752d179", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8cc43e46-8101-55b8-b3ee-abaeac448c3b", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:116494aa-46c0-583c-a3e8-97d929fcda28", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:52541382-38e8-5545-9881-35d43a89dc04", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:798be63b-4110-5c74-9007-7b1a2ec255d2", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ecd2da80-c0c0-5b91-a896-0cbfece8a27b", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:922bde30-f5bc-5f25-95bc-ebd5d9c686ad", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:da8037ea-9dcd-5fd4-a8e3-0bccbe450da6", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8b97bc83-4f93-5543-8818-299bc8370b27", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b2673ec8-041f-5163-a30f-bc54075abd70", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fc9d8065-b978-5717-8736-b8893dbe5e4f", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f7c1570c-6356-584f-a020-f325bb2f8b27", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:93ad971e-264d-5860-a5ed-daa4c94461ff", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2a0120b6-ed1d-539d-bd9f-c532603c5925", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:126f0c2f-3684-569a-bf43-ec3c09ded303", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d90016e5-8712-582b-8b53-6ce642362489", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a9e42814-9e4a-5ac9-a9d3-da023cda4f4f", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:765f2b9b-6964-5977-9d2e-7b07be7b92eb", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.3" } ] }