{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:b6003f9f-1741-5029-a00a-f747e387f234", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-webmvc-portlet", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:39e1c7c3-0379-58ca-80d6-5c995193fd7d", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:218ec4d7-284d-5d56-b108-36d4bcfbe085", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:10ef5ff9-b08a-55c5-8bb0-ecf0e9989b52", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e1df00aa-2b02-5b81-949b-907eb5b16d8c", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7e9ddd68-1abc-5528-97fa-8c48e3cdeb86", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2d43d6da-9b8f-59ad-8092-9bec4cbb1883", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:42ce1168-c568-5fa9-88b3-6b235afd0bd2", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9898cb18-6182-5cb5-aa77-ff3e1eb9c0e4", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:713ecd51-4ef5-5132-9aef-1b345f4b345a", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1888f539-cc13-5b33-a28c-1e4a0ae07508", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:39c8f155-459e-5b1f-869e-07d0e70d4b33", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:466859c1-1cdb-5419-97ca-7a2441794d9a", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:603b4564-b011-523d-9a5c-460a86c3df88", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2d202fd8-2f66-5891-8270-800d2ec6b1ca", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:882f2efc-4947-5124-9038-380593cfc6c1", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:14fda0f2-22d7-5b8b-930c-63ff6ee82bbb", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6ec4a3ff-7dff-5ea7-853f-2d3a2f6e056a", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e5ef866f-8469-53ca-b8fa-e94944b7160d", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d967675c-a54a-59cc-a5ce-ec8429628f4e", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:70fd013a-e9bb-5d92-a076-ea3a69c27ffd", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:89d5930d-0b6d-57c6-83a7-d8611e071e86", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b00df11e-5839-58ce-af21-b6ebf6b24cc4", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6b228c0b-6b53-5093-b38d-e9a9471fe8b6", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ed1729e1-f824-58b7-b694-7295f955b2e2", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e909db6f-00e2-5738-83a3-50bc0ef566d3", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d91782a2-9fcb-54e1-a8bc-765516ed09e6", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:47c1995a-9039-558d-88fe-6076add3e284", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0c02e03e-6ffe-563c-9b81-3d28a8c2c651", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:29ead3ab-35cc-5f54-b92c-6346922296f5", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d59a0816-9ac7-54d1-b243-c2d11ffdfdd6", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bedd4457-fb4e-54a4-8ab4-cf5f9f21b6d7", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6a322bdd-e6c5-5ceb-a339-3d57347d4406", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9fd7efc5-9046-516d-b0f1-04d2810353df", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:19a9da6d-1e67-5630-a68b-ee200240803a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2626d54c-a05c-5a07-bb99-09c8ec871c29", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:857cc56c-56b7-58ed-9455-ffc2ee128741", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:985a64a2-0e0d-57f8-b943-5631ff5e14d3", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b660d688-ba40-54b5-bf60-d3040e284b42", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:42ba32e5-2c02-502c-ad39-06c833400e6c", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d6ff9012-9927-5455-a7ed-87dc814f14ec", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:81549b39-7a2a-5909-9747-3f156ea6839b", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:392f2cae-ba8b-5739-9c1b-e9aff32b7460", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5b879fe8-c35e-5e19-87cd-ecb839a69fed", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.3" } ] }