{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:499b41b2-455e-5898-8845-6c88ffccb0f9", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-websocket", "version": "4.2.9.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:328d0e3d-a474-5a34-8f19-d5febe791751", "id": "CVE-2016-1000027", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2016-1000027 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket. It is not a patchable flaw but an inherent risk of Java serialization. It is recommended not exposing HTTP Invoker endpoints to untrusted clients; if such exposure is absent, no further action is required" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:27af2693-2207-5545-a9d4-75f6a6cdf8ad", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:45a3fd63-571d-549c-8c2c-7d1cb3e0d4d6", "id": "CVE-2018-1257", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1257 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4e79d0a7-300c-57b8-bb68-4cc96990a4fc", "id": "CVE-2018-1270", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1270 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7aaa0f54-b1dd-5a34-b68c-3bac1d9fd736", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:04d2bd99-e724-5869-9b25-7461bf6f036c", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5039ac5a-9985-502b-8c33-3b838d02fc3b", "id": "CVE-2018-1275", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1275 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:85bd512e-b2d6-5bb6-bbcf-61a5a70525e7", "id": "CVE-2018-15756", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-15756 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:742e3478-3e6b-5f79-9ecd-0d9a4914c09d", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4a221769-9310-5abe-a298-7d9335137404", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2b6e9bd8-f94d-5467-bb3a-0df3f64697a6", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a28a5d1b-e36c-5869-a42b-dfc94e8ec2c6", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3152a7ef-1c30-5d99-92fd-e0422eacd753", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:54eb2cfd-bc78-5d36-a940-713d442a3327", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:42d444ea-cf66-5c82-b5a3-9b823d3a646b", "id": "CVE-2022-22970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-22970 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0191023a-c59e-5c21-ab0b-a085b7fec21b", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9258d0d8-26d6-5a42-b934-e08ebec0164c", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4c110df7-7111-571c-aa4f-4eab4b7c6376", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:881951d8-8b79-57e4-8c92-56c8a6bf5458", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:baad45bb-2274-59d0-9338-80b884b7869d", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:99dab0ee-5703-56f3-a992-84cd5fd8c118", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f7661bfd-1319-5618-8cf0-f62180108a9f", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d4c2ace9-522e-5b3f-8f0a-61809de70ed8", "id": "CVE-2024-38809", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-38809 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket. No ReDoS vulnerability: ETAG_HEADER_VALUE_PATTERN regex is not used in this version (introduced in 4.3.30)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:42a39f3f-a2c7-552e-ba03-2bbe045182b5", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:93444a3a-18a9-5d98-884d-2f2758cc145c", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:54811e10-1aa9-53c3-96a1-cb97e04875b0", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:75cf0b21-6a18-53ca-b901-7f5fddf7a1be", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:36039cb6-5438-584b-a9bd-3ecfed393ae5", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fe962539-f17d-51e2-9f20-27bfd9c99385", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5b888c55-5b4c-5183-b743-d6194f6d8a8b", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2f063021-346e-5383-80d9-f6457cad94ed", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7d924cb1-d1db-5296-9074-41de8b086bdb", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e2349ea7-653d-52f0-b6c8-056a02d81e0e", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:153f90ae-7ca8-5840-8363-de04e4b2e07f", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fc1b8110-f2d0-5f37-9d3f-4f9ec607db6f", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b5c7238c-18f4-52d0-80a1-1253cde4f21b", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2edb2ea6-e805-5a4f-bb30-9dfc43370134", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:83102c2a-b450-5f21-ac02-55dc9dfd92c6", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a31a8eb0-6202-5b0d-bf82-614d5c274055", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:864befc9-4de3-54a9-b0ed-33d8f053fade", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:52f6a468-9a98-54e9-a814-505417e003d9", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d60faf13-8215-5457-aea4-982d2d8718c0", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket. not_affected \u2014 Spring Framework 4.2.9.RELEASE-tuxcare.3 is NOT AFFECTED by CVE-2026-41853. While the target version does process multipart requests, the specific vulnerable code path that enables multipart request smuggling appears to be tied to architectural changes introduced in Spring Framework 5.3.0+. The target version (4.2.9) predates these changes and uses a fundamentally different architecture." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:296284ed-c466-5e47-b0ca-09b2aaec0fc3", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 4.2.9.RELEASE-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-websocket@4.2.9.RELEASE-tuxcare.4" } ] }