{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:7dacc5e6-83dc-5ed3-87c9-cdb2d2d976d5", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-websocket", "version": "4.2.9.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1f152d8c-269f-56ab-9564-afbd1b1d21f9", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8b92c2f6-490e-5a68-aa0b-901afe3047d4", "id": "CVE-2016-5007", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-5007 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:17633521-36e6-524a-a1ee-90ad603fe309", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ed621075-ec13-506f-8188-e1c7338d171e", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:025d9fe3-73f6-5e58-b47c-aff008949457", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:808689d9-bfe9-559e-ac55-976605a99fa4", "id": "CVE-2018-1272", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1272 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9dc88e8a-c436-59eb-b7e0-ad276f2c7223", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:51b348cd-8be3-577c-8a42-bf61ab6ef129", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:147b6706-cec5-5b1c-98c1-f77c735d217c", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b3b2b1bd-ae9f-5d29-8e2f-dddd1699b1a3", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:214b1a70-d89f-59a2-85cc-b454f92888f8", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5c83aa70-6b6c-5183-9722-65dae8568cfb", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:eb104975-828a-59fb-a452-3aa9df57f9b3", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ba913f53-8af9-5540-847a-132840e4ccd6", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0f8c346b-8818-5fcf-8da7-a74a477ef0e1", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2123c747-3366-5081-8cf9-51fa7595f921", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:de160180-266b-5157-8218-6e242f4499a6", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e5474984-ae80-5c18-a265-d43f5ea627f3", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d065dc5b-ec66-5ae0-9d17-7c5f51a9cbc0", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:db4c5fd1-ba56-5d13-81e5-060387d375a1", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f87006b1-1603-5df2-8ed4-b20bed826a1e", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9ad4b03f-51fe-5b06-aebf-61426b106b8a", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:44732e89-7bf1-5500-b374-8368f8e4ef35", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c4959344-22ce-5498-ac27-06e4d3ba1bca", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c4fd0760-a172-5f9a-a666-caccdcf51e3f", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bfdc2b15-9a6c-561e-aa0a-9fb3fb4d7ce2", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:77e78e09-3be6-56b1-9e4c-3ad5057617f1", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5e154ae2-9802-5657-a0d4-65c730c92dd1", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:68274778-d251-593e-a0bf-c466cd973d07", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:224cac0e-d748-5d97-b3f9-cf72a48de83f", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:86dd7f71-77db-5ab3-be3b-68604503ea19", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:449011e4-ce46-53e3-b848-a036f8afcb8b", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5f58fee8-5105-5287-882d-0e5e58820171", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f4dab30f-26c7-503a-a6e6-05fde7e61b0d", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b71b868c-549c-5e4a-a29e-0b8f6389e060", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:715aaab5-726f-597e-9a97-9a8b5adbd608", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2709769e-a8ae-5da7-aa78-6313a1e927df", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:104354cd-ceba-59fc-ba12-92c620e26f90", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f7acc472-1517-5aaf-b91c-0824f0002632", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6f7663bc-dada-5901-9ab3-dd82061a78aa", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:22fc4237-e613-5d26-aa5a-2c5dc92e0426", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:38c1c459-6dea-5519-875c-1f55e3ad95a7", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f18398aa-c3d6-5e5e-928a-5d5c0c600d34", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.3" } ] }