{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a7f4bd89-28ed-5c25-a41f-211ebc1aed46", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-aop", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:bade1785-1d83-5dd7-8cb3-009add35f404", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:fb50d455-e0a9-5e60-8619-c972e223b309", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-aop. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:03850a27-9ff6-5a0d-82e8-1b1e961bc751", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5ad4f099-010d-5374-af56-ab7a3bf61fe3", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:68ee43de-c74c-51a4-88ca-4a75eb807765", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b58da3f4-ec9b-5d97-aa4e-ec444690deb7", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:21cc94d8-6aa2-5110-a152-747169f3ac06", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0edb8c69-434e-58ed-846e-8fe9758fa0a9", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-aop 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:fc01c72f-fc4f-5cd3-99c7-3cb4428d422d", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:65494b28-5d00-5a9a-b9a5-85793241fe6f", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4530c802-e086-5d21-af73-43d4c0da7d81", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f9815eab-dfe8-52f1-9ac6-8efd29681d22", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:201f3fa1-0eeb-5999-8d9a-7dd02163fca8", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a1a1031e-64be-59a8-8286-1f27e8af8ff5", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4964177b-3b84-5f83-a31d-b37d08458f41", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3e3adfa6-5394-5657-b7d4-750b15314e46", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3f3c1ae3-0f87-5e56-9ae8-d2796a57eef7", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b2ec38b1-6f5e-561e-b6ab-76e4ac4d7580", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:34cbc029-6bc6-5a26-b097-57f4484f392f", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-aop. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d148f152-d75c-50f2-be0c-359f9b89b8b9", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6f2b558c-140e-5862-8b8a-e0d0100abc1f", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:856c242a-0b23-56ad-96e1-9c5ab06cee24", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0c7f3c82-e0bf-5367-a3f5-98aee229f041", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d4e585ab-c5a2-5a2a-98c3-0051600684df", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4975bc2d-2711-54a5-9d20-d43c21c8504d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a31d0f58-7cf6-51fe-96c5-be8e33311875", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4655e4b2-2105-569c-9701-17b6a4b09bc5", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:381610b8-fd12-5f78-901e-ea975ee2fe11", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1070d5ac-649e-5cb3-a92f-a8fc987ef057", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:27bed559-1f4f-5b92-9240-d3c43378f10a", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8ab98ef5-0693-551e-9a45-8f62c2b5851e", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9b392409-f5db-5223-834b-fa08dc2efc11", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8f7889b9-4423-58de-a889-a1e53ebe00be", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-aop@5.3.39.tuxcare.6" } ] }