{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e17b4224-3d00-59b7-a7a2-a950eaec6170", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15", "type": "library", "group": "org.springframework.boot", "name": "spring-boot-configuration-metadata", "version": "2.7.18-tuxcare.15", "purl": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f86bcc74-6103-5f7f-a2eb-e5defda73bbb", "id": "CVE-2023-38286", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-38286 is fixed in version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:dd8f22bd-60d6-562f-9f29-54af29069409", "id": "CVE-2024-38807", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38807 is fixed in version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:ef785094-2889-55e7-ab57-d70ea09cb121", "id": "CVE-2025-22235", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22235 is fixed in version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:cb926307-40e5-5e9d-b855-3e05ec396e78", "id": "CVE-2026-22733", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22733 is fixed in version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:a50917ec-5ee7-5cbe-b98b-0aa3f28206dc", "id": "CVE-2026-40972", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-40972 is fixed in version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:bf129d21-2b8a-559d-8e7d-ef80299085f3", "id": "CVE-2026-40973", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-40973 is fixed in version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:409724f0-7252-5167-ab1d-efc8ee4004d7", "id": "CVE-2026-40974", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40974 affects version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:91057482-35db-5397-bad6-dee97ca16f6a", "id": "CVE-2026-40975", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40975 affects version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:654b12fc-9bc7-5457-bcbc-04e6c7cb2aa0", "id": "CVE-2026-40977", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40977 affects version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:65335c82-d56f-529d-94a9-fbc5ccc199dc", "id": "CVE-2026-40992", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-40992 does not affect version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata. not_affected \u2014 Spring Boot 2.7.18 is NOT AFFECTED by CVE-2026-40992. The vulnerability exists in the SSL auto-configuration feature (spring.mail.ssl.*) introduced in Spring Boot 3.4+/3.5+/4.0+, which does not exist in version 2.7.18. The target version uses a simpler architecture where all SSL configuration is manual via spring.mail.properties.*, and the auto-configuration does not handle SSL at all." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }, { "bom-ref": "urn:uuid:1635a825-6354-5f5f-89e1-8090678f0a77", "id": "CVE-2026-41001", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41001 affects version 2.7.18-tuxcare.15 of org.springframework.boot:spring-boot-configuration-metadata." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-configuration-metadata@2.7.18-tuxcare.15" } ] }