{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0dd3edc1-d40a-5f31-908c-b005fd4632ad", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-beans", "version": "5.3.39.tuxcare.3", "purl": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:50154ca0-7a3b-5820-9e99-16bfb804cb06", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:951a573b-ab62-5058-be6a-91f0175592bc", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-beans. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5063a2ae-5b7a-56ec-b7fa-cebec321db51", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b8cd90bc-ea62-57d9-80ed-abf9655a4bf3", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:225b07e7-8506-5124-b1c3-86feee6d7b58", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6644f3e6-8b38-5506-972b-7d07af785bbe", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ec67713d-4590-5449-b04a-77511b75f74d", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:81ccb8ad-3a6e-57c9-a021-13b47d8c0bbf", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-beans 5.3.39.tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b2c402c2-23c8-5165-aef2-2f06a3e29460", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:30ac0a4d-1d7e-5d83-88a6-45af23e782b0", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:47cadc72-efd6-5a11-9b75-87a31159e75e", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e1029f50-c846-50a1-87f4-dfb78b09cd06", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:abd6c6e8-bfb8-53bc-aa22-44b7ab9d4460", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8b3d7248-6aab-5420-8bcc-64f45191f1cf", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:26760c47-dd85-5a50-a93a-a2d0bd029bf2", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e24bb36f-08e8-5913-8f0b-40ceb0ab03bd", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f96664e3-03cc-5fc8-b43c-2d0efd4f795a", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9be049da-0b51-5682-886a-756b1b9c460d", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:56341f07-a4c8-5793-8734-c82eadb23a4f", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-beans. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2c700579-dba5-55be-8928-de7ce922824e", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e0d57801-0900-53f6-9f2a-30356ab3b2ab", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2392f9a3-6286-5964-b726-2f9031e74858", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5efc3d40-4369-5391-aa14-3afe50d96b8f", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:342577e5-1249-52a6-9d61-677a3c3794d0", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:212ea12d-6002-566f-8100-f42ec013c871", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8d5f5f6f-f109-5d64-816a-19372e6fd7f3", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2944fa81-e9a9-5e62-908b-502a310cf015", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7f59280f-b5d5-5090-a597-77baff99cb63", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0448d75c-545c-58ee-bb41-b4cfdb35090f", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a387be48-1cc4-51f7-a6e1-0f08ae15ddaa", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c4bd0a67-c5b1-53f5-a74f-108fbf750a8d", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:70cc6dcc-6110-5ad3-8f84-677b9ed3ac15", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c5bc386c-2aa6-5212-a7e9-be30c992f062", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.3 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.3" } ] }