{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:ddec92e4-9a55-5217-af10-3aa3030980d0", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-aop", "version": "5.3.39.tuxcare.5", "purl": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:2e594ab2-4e92-5dc3-895a-f106e18d7523", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b6538728-db0d-570c-bd98-ce30fd577e8f", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.5 of org.springframework:spring-aop. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3489821b-82fc-5d34-a07c-77610eb5d2bf", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:7963145f-79e4-5cc3-a044-08db3f5624cf", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:417b688b-6920-5e29-b169-57100be1cf0f", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a85096ee-98c0-5fcd-921b-e11920e78a53", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a34fbe86-a6bb-52fc-8512-a30c40dfa57a", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:35aee270-e0c1-5f39-8206-2138c1d0b222", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-aop 5.3.39.tuxcare.5." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:34f986e0-dc7c-5451-8f9b-c1a3de0deeb1", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ec36acf5-6b30-5f86-b13f-4bccd2a4987d", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:38b6708c-24c6-5e20-b5e3-1435d4c4c354", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a3cc1001-22de-5dea-abff-db76ac99a3d6", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:0f03678e-b7be-58ff-a160-7573494d690f", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:924632ec-7378-5b2b-bb51-b42cf744d72e", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:35f2e86c-bac5-5753-a382-1432ae2d1de9", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:4fcdfbaf-02e7-59cf-999c-ecd9a396e08b", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:67139a90-df53-5bb7-ab73-f36dcb41c1a3", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:843f4014-a16e-5b98-8930-7b3b0f75b90a", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:34f84fec-b1ff-52e2-802a-1627c2c65f92", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.5 of org.springframework:spring-aop. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d83c2d67-43fe-5678-a1ed-ff98e9e35ccf", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:6f605241-4071-5aab-825e-2f02a4618e94", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ad5d176d-f0c2-5110-a765-4ac9dfd8648a", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f99b6884-cbd8-50d1-a2ca-35cd310a8198", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:c7a35667-481e-51c5-bea9-993c430e3609", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f075aba3-f248-5767-8c8b-51d3b1537043", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:4a901b7d-6df6-5c97-99ff-abed1e0e7bcb", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f5a3f154-dc74-53b8-9a01-c706ee5f83ef", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:8382c2a9-6299-5d2e-b657-dec319b8da9c", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:6ccf9419-4971-59da-ad82-2884d49e8752", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:7a7bfd31-0751-58d2-add1-1b93b56c8a8c", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:24ec79f4-5452-5b15-b371-0dc8ecf3582a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:97ba75da-5ccf-59fb-af56-e3264db895d1", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:bb051297-c4c8-5303-990e-c6bda464f6b7", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.5 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.5" } ] }