{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:270644e0-c0b5-5e1c-8feb-400428b6c073", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "5.1.20.RELEASE-tuxcare.2", "purl": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:932050ea-d0e2-55ef-b575-e34383575332", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8b9150c7-5f34-5e97-966e-38301b5b0b5c", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:01bd8706-bb74-59ef-85f0-15b838dffa06", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:766c6038-12ce-5426-a82e-4e5375576c8a", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:af8185ef-42f9-556d-b06d-787edd525b71", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2a181829-36e5-5acb-af98-2fec544ec2d3", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4eb3d17c-5413-5bf4-a4e3-87b3167fa823", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:20f5d6f9-af23-5328-bac4-ada4a9adb755", "id": "CVE-2022-22970", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22970 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6ed9d358-1542-5307-9014-5bca448963b4", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8d179a50-1564-51d8-a4e6-572b9b7124e6", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7ca77173-e646-59de-a372-55c14311f2be", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4b98bef3-db7b-5100-9931-07d3439b5e8e", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4c7346ad-124e-57d5-9f12-8646c7f781bc", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:73d5c8a8-8d56-5c01-9942-dab3541d324d", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fd87168b-4744-58c1-b456-bff95370b2fc", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d3773174-6e2f-5731-a09a-f7838c45b052", "id": "CVE-2024-38809", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2024-38809 is a false positive for org.springframework:spring-web 5.1.20.RELEASE-tuxcare.2." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:32e3ddb6-c847-5820-894e-9613ab04e4bc", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fc156123-e122-5efc-9e48-f1ac48d1e383", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5096b19c-b12f-54fd-85a3-fc854b2ec820", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:682bdc34-6607-5559-b0d2-cd249da51784", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:be0b71fb-09ad-5f8c-b4bc-2c19ca1245c2", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f6718ec1-eb02-5c13-895e-4d157d0a45b2", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c1fed7e5-aac7-5589-98b6-6c5251e9a04e", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:860f5c34-2ee7-59c7-862e-5a2137056be3", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2563d440-6248-516d-913b-cdbbc6653f3c", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a9a5204d-c020-5288-aa9f-33d2d457e494", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ba21ba42-f1df-59d9-a01d-d02aebaebb32", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d395b0e4-b681-5a87-b068-0ddba65580fb", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web. not_affected \u2014 Spring Framework version 5.1.20.RELEASE-tuxcare.2 is NOT affected by CVE-2026-41840. The target predates the vulnerable architecture (PartGenerator/MultipartParser) introduced in Spring 5.3.0 and uses a fundamentally different multipart parsing implementation (Synchronoss NIO Multipart library)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:339464c6-048a-5b08-8e09-42ca4ca17057", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:85cd643e-a21b-5736-a472-06cb066e356f", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:47700ad7-7b24-56b5-8ff8-b4113fb7144d", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e73a9048-457d-5ef8-bd07-3cbdd72457f6", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:747f8f8f-b29e-5dab-89c0-8019550d110e", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8e65fcce-57a5-508e-b13c-c4454918332c", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:20854356-8963-5a7c-86a0-f36a534bcefd", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a96aa197-796f-5670-ab00-f16996980547", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9d23758d-23ee-5cbc-88e8-903b47a11bc3", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:87984b30-aa14-5d86-bd47-3ef757a4af16", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f237c7d7-71b4-5274-ad15-cc3a1845c900", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:978dcda6-789a-5c8f-b81a-08a019c25083", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:cb1adaac-6a9a-5437-8f9d-16ed74f3e23b", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web. not_affected \u2014 Spring Framework version 5.1.20 is not affected by CVE-2026-41853. The vulnerability affects versions 5.3.0 and later, where a new native multipart parser (DefaultPartHttpMessageReader) was introduced. Version 5.1.20 uses different multipart parsing implementations that do not contain the vulnerable code." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:88367add-3aa0-5c99-8339-ef357536d85b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@5.1.20.RELEASE-tuxcare.2" } ] }