{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:6d7773cc-426b-582f-8851-f938999814db", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4", "type": "library", "group": "org.springframework.boot", "name": "spring-boot-starter-data-elasticsearch", "version": "2.3.6.RELEASE-tuxcare.4", "purl": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d3ec6042-3e2c-5658-bc9f-a7573f222570", "id": "CVE-2023-20873", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20873 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ea63fe65-df94-57fd-912d-0a0d5bce8b9c", "id": "CVE-2023-20883", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20883 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:22362bae-e10f-59b2-9aa5-bcf4b1b74f9d", "id": "CVE-2023-34055", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-34055 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4bb6ed1b-a5a7-51b5-bf0d-755b43d77a45", "id": "CVE-2023-38286", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2023-38286 is a false positive for org.springframework.boot:spring-boot-starter-data-elasticsearch 2.3.6.RELEASE-tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:28e36914-3668-5a9b-8dca-31f643933987", "id": "CVE-2024-38807", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38807 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:159108b7-d02d-517e-a05f-6babe1958a62", "id": "CVE-2025-22235", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22235 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f3b82f16-695a-51a5-942b-f60dcc527bb4", "id": "CVE-2026-22733", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22733 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d5e10876-f3b3-5f38-8a6f-869d9e29fb4d", "id": "CVE-2026-40972", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40972 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:da64bf5f-f9a8-52fe-9afc-41a2993768fb", "id": "CVE-2026-40973", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40973 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:91be2588-15e0-5f31-a4f8-07de09f59e87", "id": "CVE-2026-40974", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40974 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:12dc6d8d-07c1-5c74-b9b5-1af2c9b28d7e", "id": "CVE-2026-40975", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40975 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8774431b-43c3-5015-a405-f7e4717d0382", "id": "CVE-2026-40977", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40977 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0f2b0cb4-a6c9-53fb-9e5d-5677a0a09420", "id": "CVE-2026-40992", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-40992 does not affect version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch. not_affected \u2014 Spring Boot 2.3.6.RELEASE-tuxcare.4 is not affected by CVE-2026-40992. The vulnerability affects the MailProperties.Ssl auto-configuration feature introduced in Spring Boot 3.4+, which does not exist in version 2.3.6. The target version uses a simpler architecture where mail auto-configuration only passes through user-configured JavaMail properties without actively managing SSL configuration." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:15f5cf40-05ce-5175-8add-743cc54d479d", "id": "CVE-2026-41001", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41001 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-starter-data-elasticsearch." }, "affects": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework.boot/spring-boot-starter-data-elasticsearch@2.3.6.RELEASE-tuxcare.4" } ] }