{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5a0b005a-6f6b-5bba-aee7-e8b9dc2446aa", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-context", "version": "5.3.39.tuxcare.4", "purl": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fb476d18-0bfe-57bf-bf54-2514b4f1b967", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cdf80de5-a4ae-5d14-8d2c-d5ba3818418c", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-context. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c187ede1-a3a6-5e21-ac86-9ba3e8c8afc0", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:227f3f36-604b-5555-83ae-5eaafaa5f186", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0af306aa-894d-50fe-9f7f-76eb9dfe0b74", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:96125ac7-f01b-5d00-a40f-ddd4b98ba500", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fe093cec-2100-5922-9159-43caaec475ad", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7b01d601-58eb-528d-9394-098bccb0cbe6", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-context 5.3.39.tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6a28e73c-ff9c-51bf-a9dc-9f1083fb87eb", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bcd6ba2a-1cfd-51c2-b7fe-fba1a0d87f0b", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:07610568-f53c-5c35-b7a0-312668fe7fd8", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:84983140-f859-5340-8ff5-df01607259b9", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4a085b92-e62e-5c32-9570-f392a02f7f6c", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3c5ceb46-0c7a-5761-977a-c97308b62d68", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c396cd21-97e0-5379-9efe-c15f16244bc9", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5a62e624-db0e-5578-a6ff-8367a1ede98d", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fe6c40c2-01b7-512b-a337-b7e5c3e9cb3f", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9b3f1344-d328-5e6d-ba19-68496ba6638c", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5cdc045f-27fb-582f-8647-ebcb41167d3c", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-context. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0090bd36-5366-5c12-8013-2fefbf609e1f", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:64b6a966-6ac6-5b2d-a18e-1d3a91ebd7f3", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:526a6a65-2336-580b-b321-d049f73644f7", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e030d096-e54f-560a-a7f9-ab87c52ba202", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a123094c-657b-5973-9a05-a31d755dca3a", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f5c9e6b9-dc6e-519c-85d7-3efa3e3fc1ab", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:eaf1ef73-31da-5561-abc0-5f28ce38b567", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9e9295da-cb0c-5a97-aad3-92a621e83b40", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a6472dac-7b99-5dd6-b1ba-5a6ef129aa85", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6b2b7312-8dac-5dee-a46b-a3e3f14cc3a1", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:18268bf7-4016-5172-820f-fab9fe6c92be", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2381ea26-a99e-55e9-ae6c-9b0a0df6a1c7", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:917178a9-d8a0-51bd-9812-ce2544bf8470", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:03d28163-d504-52a2-941a-3f41fc1b5945", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.4 of org.springframework:spring-context." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-context@5.3.39.tuxcare.4" } ] }