{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:49518328-2968-5d43-b2a8-70aaef10f646", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:854ec1d2-da67-5602-a54b-501b57060faf", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e4e9214b-d0e6-5c50-8dd9-6aaa50ad9c75", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ee63479b-1912-55c8-a1f3-8bb4b4395b11", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5119a2fd-8b11-5da0-befe-aa925c5c0490", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ddc4e76f-a76a-5432-9145-4e418ac98602", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:08209d70-0b01-5ee4-a7bc-0b3ada9da88e", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:eeab34b6-41ef-5c10-9f60-2a209a1f90e7", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ad0d93b3-a868-512f-a787-0168bc5798d9", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fc7bb661-cbdd-5f37-b6cc-c961dca552ad", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2579982a-2527-5eab-b261-fbfe2335d17c", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:62b9f20d-4a96-5bf1-99aa-72f18a22723a", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8e6469d1-d7bb-55ee-8efa-acb7dd864223", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a4f69070-615e-5b44-8c9d-4d318a4ca755", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4ad94fdd-c856-5357-abc2-b984d294f08e", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:86237ed4-8681-5562-9b07-b5fd0ec98ecd", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fabee565-f1f7-5c97-a816-28022573c261", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e9e2b69c-b04e-5376-bdf5-6cc82cb0decb", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:973f20c9-f415-50b1-a5ab-e3d1972c05de", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fc1c2816-b1f1-5161-9387-0231096db3f0", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:87ed3327-e5c1-5273-a111-b812145a67ee", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:297dc3b7-578c-5197-bdd0-b9b205c9354b", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cb9468da-6d0a-5819-ab47-127dcec92636", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:878044f4-4961-5b1d-85c9-1eea00ffa09d", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5a35b59e-0526-5bf2-b54f-cbd9b72185d0", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7c9eb28c-7c53-5500-9612-292ee479c07d", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3ef80469-ce21-5ee2-95f5-398f683b23d0", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:504097bc-1983-5ce5-9f22-743255b108f8", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c5ebdde0-747f-5792-a8ba-15f6bddc97c9", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5f3f3125-2a83-5c58-96c4-f5012ae5aaba", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5cf76c99-4df9-53d5-a827-ddbd4ccf498e", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:58429b02-fd44-5bd2-92f9-062c3bb49231", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a3bbfe21-66f1-5862-8680-8e7591defb48", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:77491470-d200-5dbd-9291-8d5815d2a306", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a366ddd4-0ba1-5e6c-afe2-45211b5ccd3a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8a9cc8b3-9e0c-57f4-9541-5db06da1f7fc", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1f34b85d-b035-5885-9d41-c1d98991a341", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b123ba1b-3fd2-56fc-8aa6-b1b11ab8f04a", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cb12d379-f501-5196-b44c-e83dff9c7390", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2fa19666-bd8d-5c21-917b-3f0b07b9ae95", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4c0f5326-ab9e-5c58-8e41-e12a5ab3fb9d", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:18dbc11d-3857-50a9-8c3b-9ce28bea9378", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:348d077a-5cc7-5704-aeba-76c56c432e97", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4eaf0c63-0151-59a9-a475-dd839830379b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@4.2.9.RELEASE-tuxcare.4" } ] }