{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:9e2f53d4-3444-5dcd-8ef4-c90eb84b5df1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "5.3.39-tuxcare.12", "purl": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:5d3af6ad-c281-5235-ac97-c242def01725", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:3e20630e-f467-5a54-8e93-8d43eae0501d", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.12 of org.springframework:spring-instrument. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:761a528d-52bc-5df5-ae6a-8c5d6506e6e6", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:e87d23fa-829c-5f6d-b7f6-26b676678f31", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:7914b6c6-11d0-5d14-9779-fbf5667eb89e", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:8cffaf84-cc97-5a02-92e4-c75be805fc67", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:375138cd-ec59-5613-849f-e751192b8232", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:fdc3ca42-a0df-5789-91da-dc4a9ec02d75", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-instrument 5.3.39-tuxcare.12." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:bfebe707-29a0-5dd7-8ad1-0e6c9e1b8f51", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:e28fc9b0-1983-5efb-bde1-e8a0f406767d", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:da4e2fb1-51a0-5d1e-a47b-87541f6af373", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:7e1ddad5-db62-5958-80c1-ae6cfb3aeb19", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:245b9185-a448-5524-829b-05457d19bb1f", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:2cba7a9f-7b16-5daa-a57a-272226219f68", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:6e2d7072-ab3b-5791-ab17-8adb08910a23", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:2f9cdab0-f19d-57ba-9f39-4cb64ab96ed2", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:3e1aa7a6-3b3d-5786-80d4-04a88f8118a1", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:6f52393f-fd44-5015-887e-6decef10fd58", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:123357aa-04c5-5401-a4b5-8ac40321bfc0", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.12 of org.springframework:spring-instrument. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:ba14570a-75c6-58fe-9c51-44b1a258a5eb", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:d2d162aa-e316-509a-ade3-f6d37f56af06", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:a9ae64b7-d1dd-5dd4-88c4-a809899541c4", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:c1d79e1d-6190-5e0b-bf39-cf5b40ef49e2", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:be50d36f-8662-5b6d-a0ea-3fd36be3c379", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:8176bd82-877f-50a4-9a68-b03caf81514e", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:1eed161e-2f44-54c1-855a-1561869f2211", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:7effb352-8e70-565b-95c2-14336dbd53cd", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:e900be21-e573-5232-b440-4e3e63f90112", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:c85f0bf9-3596-56d0-adaa-19712add12cd", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:e169cacd-b436-59a9-8456-dce4b5a44654", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:8996d30c-ed2a-5025-b712-280c2c73ab50", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:10e7ea64-4463-5b32-a51a-2233b878a31e", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:7c3d16fc-e218-595e-aaa1-74e60f7fab2a", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.12 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.12" } ] }