{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:992e4f81-7af8-5130-a61d-731f58972321", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-webmvc", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:7b2a50a3-2615-52eb-9abd-2dc667f3a560", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d0446430-990f-5627-a879-156b8a614c14", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0e3dcd64-c988-5383-a20c-d1c02b0356b0", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:482a4b31-6d2b-5b03-b0c3-806455d8124e", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f62883f9-1208-542c-bfdd-954d4aee425a", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5e28e4e9-e55c-5cb3-9814-dd3228bdac64", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3e05406e-2f8d-5547-ab17-d9b1c142a1bc", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7a77f560-c774-506c-b017-1866c343cd92", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0e1ed8b9-7a40-5d29-8ea0-9c2864bc1892", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6e4a010b-0286-5eef-901b-3ca50c9e5546", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c809d27b-c8e5-5c9e-8d56-b464da8a8256", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f56675e8-2a70-53ac-a603-6f898332cfa7", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6d1faef6-b574-5ffa-9a38-c2d6d7c906ec", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8aa60e6a-b93b-5c0e-9486-9d233b225e62", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0d3a890a-7516-5745-b14b-ef0311ae7cb3", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1bc030d7-f246-5f98-9fae-c6992a24179d", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fc4be985-d7b0-56e3-9cf2-311d917de573", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:49c625cd-4e33-57d9-8552-156c50d99a92", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:17de0f31-d68d-5472-894c-56375f9d8135", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e5847f08-f6ba-5d5a-b5ac-8903657892c6", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:022f46ed-c959-567d-8819-0172a8a1d83b", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ccdb4d32-b8bd-5c2a-bda4-bc3cf512d0b5", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3cc523f6-6fe9-5ee2-97f2-4d0df7d3f1e5", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7248e0d7-5468-5b73-a18a-640296c18aad", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:88d61d12-59cc-5969-9a4e-308528065f5d", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f11e209f-c0ee-51df-a34f-e92556c5e233", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6aaa02ec-69b7-583d-ae72-96c920b51b51", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2cc8e24a-d7cb-5d07-b084-7d251155ca37", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0c8230e7-179e-5252-a53c-e98358429038", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d971e01c-15cf-51c6-b995-7c2559637987", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b74b6624-47bf-599c-8a91-9b77b467c81a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e03dcbdb-480b-59ef-a018-923b8c34d483", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3d065617-6a09-5b5f-b466-bd77fd95b2a0", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d822a2a7-e0c3-512a-869f-bcf20fbc2f7a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dd89ac03-6e5e-5806-ab90-7dcac5109d6c", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:285de79f-68bb-5b40-bff4-f08d103d2921", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a503f1f1-5428-556b-8bda-02bb0427d727", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9b67f627-57a4-59cc-a6db-d07cf33c1d6e", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1fc2d3a3-2bec-582e-808c-b4e35c6c6fb1", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4881154c-fddf-52bc-b7ee-90052f0df240", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:19808c92-b429-515d-a3c1-6911e3b312da", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4b2e0ce6-49bd-53ed-b27e-93b2d4391750", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3b1d37ae-58a6-529f-a73b-2a42b67cbf8b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.3" } ] }