{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5d281e2b-9ee9-5afa-b572-3ef5170b9c78", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-webmvc", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c91ff782-4edb-5b9f-9c8c-6f2ec9f63fe9", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a222145e-67da-5368-b43b-a70b44482cc5", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7e50e202-bfd4-5ec2-8b40-465e69f5ad66", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:04408d13-1de9-52c3-85d9-c5021e1fe828", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7a6d4e52-b140-5d9b-a909-0d962c4efa8b", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:38f64973-8768-5eb9-87d0-79f2a6eb6b87", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6bb6e2f4-8eae-52db-b217-21a5a6651bb8", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b2297cd1-ca90-5f64-b46c-d1317e146bfd", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d69712b3-a5ca-57d6-9c05-0dd2166ecc4e", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cb3a08bd-5e11-51a6-aac4-253951a4cfdf", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4c1fa34a-81b0-5ea2-b42d-8c3471f34619", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0c396e84-8668-560e-a564-b8b558ff9dda", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:38750eff-6b39-5d20-a69f-da89ede3d93e", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:512223f0-b8df-5e09-9dff-902b9e2f62a4", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dbbb3ce1-261c-5583-93a9-78128d1d7b29", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a6d686a2-5968-5722-a331-3ac7e6c920c8", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4d486c94-1f00-5a83-a832-4663e2457891", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8166bdb5-0de1-5386-8c85-b58e7d6cafbb", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2aee7848-4e44-5935-9210-c586d515b0b0", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f6ce9b94-dcd1-51df-8eb8-11c2a719a6aa", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ac0fc143-37e0-5080-a874-71b5ce29308e", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:66cf9935-43f8-5711-89ab-74c836673214", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a9cec96c-9fba-5895-a4b5-3e88b67b061c", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:db5c089b-b8f2-5174-9992-02ddc6b96a1e", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:32656159-e08e-540f-ba45-4c31e8f843a8", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ed748deb-1431-5bc5-8b0d-803618e705a0", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:930ddd74-c893-5681-830b-438c0a3eeac1", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a2299398-a97b-5d9b-88d2-3889ef558517", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7f6bccc9-4d02-5d64-9a35-b192a9197aa2", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7f6b2a7c-151c-53bf-b15b-5bfce7378e82", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ec944a7d-6ea4-5533-b4ff-b7301a14fe4e", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6e1af136-2fc1-528b-a37e-2870481ddfcc", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3785e36f-8f59-54c2-abb6-3b7cc27c3b28", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cd0974db-d289-512c-bf95-2b2156958deb", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:81944780-0d66-5272-9514-e6866c9230f5", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1cf6ca04-8729-5ad2-8d2f-5a91c2c65c49", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:001e607a-9c69-5615-8522-a157816369c6", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:40da4e80-95aa-59fe-80d0-1a0e539fb672", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3fcf3e0f-8089-5a07-b07c-e3413c3eb66e", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:15f51a86-8f98-56c4-8e07-866f0e536f20", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:af598744-7048-5c9b-a49b-b2dd6098a7c0", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cffa4e9a-62fe-585c-a3e6-f310aa01abbb", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fe951dab-209d-5209-a598-cc7ce0d12527", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE-tuxcare.4" } ] }