{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:7d6afbfb-5946-53eb-8c05-6de4095c2c3c", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "5.3.39.tuxcare.1", "purl": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:21471853-5dfb-5440-b202-535213435f91", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a7efad5b-e9ef-51a4-a835-e18a4b481d3a", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-instrument. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:14db5da9-b976-55b6-9b33-01f1f5fa5d79", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2f51dd25-d726-5b4e-8e73-1a99d9077cc2", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b770db34-7be4-51af-845c-e90ba0499804", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e87c2893-b9fa-5315-b696-0ea3b337a36e", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3e55985f-c744-5514-9a74-46afd2bf3362", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:87581ff0-94d1-522a-a4c4-49aab41a466a", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-instrument 5.3.39.tuxcare.1." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f3277bbd-1159-5e9f-b77d-055fe1060376", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:aa65652a-6c76-5daa-ba2d-3cbdab4a9aa2", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:027408e5-8fae-5330-8aff-f2d17ae2d04d", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6965590a-b289-5b4b-9d6c-25e79c11342a", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b4c24a52-0172-5d8f-a7dc-4ead3d229a27", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c5c257cf-a872-53c4-ac85-9ec89538644a", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4274cdc4-2e65-53bb-8c76-dbdf509a909a", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:344c255d-8228-5b7f-8618-a226c995a009", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f587ba63-0283-58e8-821c-4ca5487ff9fc", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9663a231-49e3-5162-a94b-ed5c765353db", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2d477012-3fcd-539f-8577-fe7b493bb554", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-instrument. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6542d9c6-d02d-5c9f-b9ed-ce1da246c7d8", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:53004d8f-f3fc-5e71-ad36-c8828233cf45", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7a0328f1-3328-523f-b80b-b8ab57acba78", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0c4f80a1-dd8b-5ef6-94b9-938267aad3d9", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:50f3fba3-f130-5046-91ca-3a15e66134e1", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f5bcace6-c713-584f-af6d-dfe28efe128f", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2d0be7d3-d1fd-5954-8e32-5f85e3db25b1", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:30c81c1e-2b63-522f-8b84-ae59ced337e6", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:22dabb71-df5d-5903-aaa6-feb87f930e05", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7c8a1f45-e6f3-5c9e-997c-4b2dd0677b6d", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e50cbe80-bb2f-5404-9aae-ee193692c9b1", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:52c35cd0-df2e-5c7e-b2f4-4a3899728654", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e99e2634-e772-5dc5-8483-ee75af3c29e6", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:572d10de-f3e7-50ff-a750-5dc4a0dce68b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.1" } ] }