{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:719f389f-6642-52d5-a074-ce45b4fc1bd7", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-aop", "version": "5.3.39.tuxcare.3", "purl": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:2df1baca-1af9-5383-b72b-0d8779f39791", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dd14044e-c737-5317-97a6-48ff2ee440a9", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-aop. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8ab3666f-d06a-5096-beb9-ef8f94ce8d46", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7b24d90e-f562-56e2-99d9-14ad74673b5d", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:147e3d7b-0800-566e-8da8-9e419951ea6a", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a3eaf097-67fe-5db4-b4f8-e7cc479684de", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a0800e78-a6c1-5b6c-b4a9-0cfe20a822ce", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4c5e38bd-25b5-5962-bdf0-8f758b522247", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-aop 5.3.39.tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1986d9ac-19f1-58e5-be51-ff4e8c89bd24", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5c61ff31-b4f1-5bc0-9644-e811bea26f55", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ae4453aa-7477-5ff5-8f9c-a1f6b67bbafc", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:99273989-5110-56c8-9682-77f1465143ac", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3952dfc0-f8f0-5976-a69f-7f40773a94d3", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c1e7d96f-32eb-5029-bc87-582463e59bda", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c58f1e8b-1bb0-50b1-9e51-b58ed7bc3d56", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bfce061f-b2ab-5375-a5fc-7ab0601f7794", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6274a145-7f98-5402-a0bd-47f224ce5e42", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:52639983-0451-5b58-bfa0-38eec7fdf4a0", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0c1fd332-183b-5d5a-845a-16be010c0739", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-aop. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0d007606-d6b7-550f-b18b-72b857912b84", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:163c00b3-014f-592a-a9e7-d0b5f86b7daa", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ca2665f3-334f-561e-a035-94e021a540a2", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:37a1411e-2d1a-519c-98a5-f3e34a2eb086", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ae647c79-5950-540e-852f-7fa7b4f69bf0", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0db0a926-e499-53df-a9e7-cb934a497698", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e080eafd-060f-5411-a578-e7fe24d42b02", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:557eb314-4bb0-52d1-8f7c-922cf4145bc2", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a30aed9c-96c9-5802-aa50-2908422a210d", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9281a8ed-e542-5287-b1f7-fd0bf06e710c", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:852438f2-1fc9-55a6-b0c4-6b4c8fc478f0", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4a51381f-2763-5ba6-92e3-b9f459f26fe9", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ccbfd53d-ae00-507d-9169-bff5e8551035", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0037f965-4ec7-5c99-8ed0-41d6af2ce2d0", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.3" } ] }