{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:3c39d794-a21a-52d9-9416-cf02053a59d1",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1",
      "type": "library",
      "group": "org.springframework.boot",
      "name": "spring-boot-configuration-metadata",
      "version": "2.4.5-tuxcare.1",
      "purl": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:10ab68cd-2eb9-5643-ae78-d50cb6610777",
      "id": "CVE-2023-20873",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2023-20873 is fixed in version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a67431ac-6877-5537-8b30-a5e0a750d9d1",
      "id": "CVE-2023-20883",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2023-20883 is fixed in version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:61f68574-4a09-5ca3-b393-fd88dead031a",
      "id": "CVE-2023-34055",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2023-34055 is fixed in version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:091be483-b33c-5ead-bea4-26449c7c9ecc",
      "id": "CVE-2023-38286",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2023-38286 affects version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:226ee591-8e4e-5066-81dc-cea59b186000",
      "id": "CVE-2024-38807",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-38807 affects version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:92c0e0fb-749e-5099-9742-6c30c31cf624",
      "id": "CVE-2025-22235",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-22235 is fixed in version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c4377780-60cd-53dd-8115-1875d7de202d",
      "id": "CVE-2026-22733",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22733 affects version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:dfc8fc8d-09be-5069-9953-872653a9df5b",
      "id": "CVE-2026-40972",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40972 affects version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6032fdb3-7230-5b8f-83e5-52c44002136f",
      "id": "CVE-2026-40973",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40973 affects version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ffc5feaa-5168-5a69-864c-47e7e6c4e170",
      "id": "CVE-2026-40974",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40974 affects version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:da1b1868-8c52-54cc-9061-e086eb2347e7",
      "id": "CVE-2026-40975",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40975 affects version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8a5382b0-ad4d-5834-a435-0935ea114311",
      "id": "CVE-2026-40977",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40977 affects version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4f5104ea-782a-5c29-b3c4-58413a058c4c",
      "id": "CVE-2026-40992",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-40992 does not affect version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata. not_affected \u2014 Spring Boot 2.7.18 is not affected by CVE-2026-40992. The vulnerability exists in the SSL auto-configuration feature introduced in Spring Boot 3.x/4.x (controlled via spring.mail.ssl.enabled and spring.mail.ssl.bundle properties). This SSL auto-configuration feature does not exist in version 2.7.18. In 2.7.18, users must manually configure all JavaMail properties via spring.mail.properties.*, i..."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e4654b5e-ad1a-5c46-a1db-96f55a48cf34",
      "id": "CVE-2026-41001",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-41001 affects version 2.4.5-tuxcare.1 of org.springframework.boot:spring-boot-configuration-metadata."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.4.5-tuxcare.1"
    }
  ]
}