{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:9d80ff5f-ded0-5985-b1e4-dbd88664c999", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-webmvc-portlet", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d1654d63-9032-5cef-b367-5f48551b8ea5", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6f63e182-b8c5-58fb-8406-7d5b6aaf8fa8", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7c558b20-0619-5a6e-a709-4a7418e958f5", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0ac956dc-6417-57a1-83f8-667b98949767", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e7e7406f-f5a4-5872-b170-665053cc2a5a", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2de17bf5-cefb-5c1b-8011-4f713fe8d6fb", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:af92bcb5-71b1-59fd-869a-d6808861cf53", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:156fbeee-f502-5504-b17b-eb2414cd703e", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:38c1c002-f90c-579f-909e-68bf88da42cc", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:19aee282-f877-5f2b-b10d-b9405d764b14", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:34abebfc-421d-532f-b78c-0d7878a12e89", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b972de4d-2407-5d6b-b452-2670d8bf2691", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6b4227b4-2199-588b-bb6d-27f596357884", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:65acf2b5-bd9d-53f8-9941-c422b4621b2d", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:439ad52f-ec9b-5bf9-b6cf-5dfbed58b030", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f22114b6-d2f2-58ab-bd21-e5b45990356a", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c777eb52-d8d7-5e4a-96f7-ec5837c0e457", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e54d582d-39b0-5448-a26a-3ba8dcb6279f", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7046a9e9-17c7-57cd-b2df-dddb1436229f", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0c9f2871-ad3b-542d-a1a7-dbc000eaf1cb", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:35c35aeb-ca76-504a-9897-2c0333ac9be6", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d59d297c-ec04-5105-964f-ce8ac5bbb83c", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fb2b462b-662b-51ac-838e-c2d27c584957", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a1f37420-05da-5aec-8fdd-1631b003d46a", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3826ecff-6734-54ca-ab07-8580c061973d", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e483c045-1657-5b4c-ba08-7dbb629be552", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fe6ff9c5-cabb-521e-b0cd-4d434cbfa8f8", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ed4b3fce-3e5b-5325-bb83-71ed18808bb8", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e6013e4f-2dc4-53cd-bf8b-26150dc2eda2", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ba6ac754-4cd5-53e4-a529-e5f62474bb21", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:70e508bf-4220-5d7e-8632-4bec04acc16f", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3dcfa835-7313-51d2-99ce-b23bd3537646", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1523a46b-b954-529a-9c2f-b774e99530f3", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:58958b6e-bb59-57a7-8465-3979c2453788", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:31d7c4ac-5c95-51b0-acb5-bd61ac973876", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:517921cd-6921-5c0e-819a-7d22596e8ecb", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:88ec4219-8adf-53c5-a890-47e068d5883e", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:03a87978-925d-58c2-a8b5-26222f055913", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7aa34d1f-b222-5dc2-9d5f-b30274b8c15a", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fd60ecae-e5d0-548d-a7c9-e05f7cbc3999", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2c2eda4b-5196-5715-8038-3c7a5dbf959e", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b508b835-e0e3-5857-9298-83a76a842ddf", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:275ca2b0-c20f-5b74-844c-3a1d845382a8", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc-portlet." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webmvc-portlet@4.2.9.RELEASE-tuxcare.4" } ] }