{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:7994061b-b38f-5561-8306-b72f5fde93c3", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2", "type": "library", "group": "org.springframework.security", "name": "spring-security-acl", "version": "5.7.12-tuxcare.2", "purl": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1bb592c8-85e1-5b93-b54b-17b96d4cc43f", "id": "CVE-2007-1651", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2007-1651 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2b572424-ed8c-5b12-b710-5616cef14ab9", "id": "CVE-2007-1652", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2007-1652 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9ca8986f-d43c-5d47-9f3b-aaa228c7e80d", "id": "CVE-2018-1258", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2018-1258 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d1a12498-2a6f-5ede-8c8c-dfc333bd4688", "id": "CVE-2023-34042", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-34042 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c85e5d97-1181-5ee7-b367-36a7588b063a", "id": "CVE-2024-38821", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38821 is fixed in version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6ce44f28-efc5-5f69-bf0e-4473f9d9489a", "id": "CVE-2024-38827", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38827 is fixed in version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1a1c79d3-66c3-5382-881b-22d222b346d6", "id": "CVE-2025-22228", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22228 is fixed in version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3b491929-112b-558f-a317-c005fe85a966", "id": "CVE-2026-22732", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22732 is fixed in version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:22e35e28-6407-5e76-a51b-aa201779dd46", "id": "CVE-2026-22746", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22746 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9f03935d-b879-5e1e-b471-55f8daadc240", "id": "CVE-2026-22747", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22747 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9bbdbd28-dceb-5c37-8676-ce390fb0a7ee", "id": "CVE-2026-22748", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-22748 is a false positive for org.springframework.security:spring-security-acl 5.7.12-tuxcare.2." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4e9eee95-5a01-5f37-956e-b395a76fc2b0", "id": "CVE-2026-22753", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-22753 does not affect version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl. According to security advisories CVE-2026-22753 does not affect Spring-Security versions earlier than 7.0.0. This is supported by manual code inspection. CVE-2026-22753 is an access-control bypass that occurs when a user-registered PathPatternRequestMatcher.Builder bean (configured with a basePath/servlet path prefix) is silently ignored by the securityMatchers DSL, causing the security filter chain to match a different URL than the user configured. The vulnerability requires two pieces of infrastructure introduced in Spring Security 7.0.0: 1. The PathPatternRequestMatcher.Builder API itself (added in upstream commit aeb2dbc2 on 2025-08-18). 2. The wiring in HttpSecurityConfiguration.createSharedObjects() that registers this Builder as a shared object \u2014 the exact line patched by upstream commit 438c783c (the CVE fix). Neither piece exists in version 5.7.12." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:160778aa-9978-51c8-b91b-9d8b93586d57", "id": "CVE-2026-22754", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-22754 does not affect version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl. According to security advisories CVE-2026-22754 does not affect Spring-Security versions earlier than 7.0.0. This is supported by manual code inspection and proof-of-concept tests ported from the upstream fix commit. CVE-2026-22754 is an access-control bypass caused by PathPatternRequestMatcherFactoryBean.afterPropertiesSet() calling this.builder.basePath(this.basePath) and discarding the return value \u2014 PathPatternRequestMatcher.Builder is immutable/copy-on-modify, so the configured basePath was silently dropped and protected URLs (e.g., /spring/path) were left unmatched by the security filter chain. The vulnerability requires two pieces of infrastructure introduced in Spring Security 7.0.0: 1. The PathPatternRequestMatcher.Builder API (added in upstream commit 3e53cc2c4a, \"Use PathPatternRequestMatcher in config\"). 2. The PathPatternRequestMatcherFactoryBean class itself \u2014 the exact file patched by upstream commit 53bcf0d1 (the CVE fix). Neither piece exists in version 5.7.12. The upstream POC tests (RegexMatcher, CiRegexMatcher + AuthorizationManager variants) were ported verbatim and pass." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9be32268-a292-54a2-8411-a6ed2c05cbc7", "id": "CVE-2026-40988", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40988 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1548172c-ee02-55b6-9197-ffb6f7641bc7", "id": "CVE-2026-41003", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41003 does not affect version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl. not_affected \u2014 Version 5.7.11 is NOT affected by CVE-2026-41003. The vulnerable class FormPostRedirectStrategy does not exist in this version - it was only introduced in Spring Security 6.4.x in January 2025, well after the 5.7.x release line. The CVE's stated affected version range (5.7.0 - 5.7.23) appears to be incorrect." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:baaf6ec8-c133-5473-9128-e24197fd39ee", "id": "CVE-2026-41694", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41694 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f4dddc02-03dc-5df6-a31e-c072f800a1f0", "id": "CVE-2026-41706", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41706 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:760b05ee-4df3-58ce-9402-a2be56d793c6", "id": "CVE-2026-47838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47838 affects version 5.7.12-tuxcare.2 of org.springframework.security:spring-security-acl." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework.security/spring-security-acl@5.7.12-tuxcare.2" } ] }