{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:2b5c4230-aaa8-58e9-88c9-b87078b49509", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8", "type": "library", "group": "org.springframework", "name": "spring-jcl", "version": "5.3.39-tuxcare.8", "purl": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:750e3abe-5e19-56d3-8747-54fb1a3ca661", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:85b9f613-654a-5296-9abd-65974e57068e", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-jcl. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:a309ff8d-9b0d-52b9-8dff-1d3a60cdecb3", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:6cc33205-e78e-5af2-8991-3843d26b1e24", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:663788d3-57b8-5067-95d7-905993ea6774", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:1762dd52-5bd3-5ae3-87de-fac524fd173c", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:c0a65066-330b-50b5-91aa-795b916b8bc8", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:407b8eb9-d7d7-5929-a007-0e68031d5016", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-jcl 5.3.39-tuxcare.8." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:352b0d3a-cf57-5f30-aed0-59f58146ab97", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:c81d7be7-12a6-52ed-a8ba-ff7e3173681a", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:f9f0bf30-a152-530b-86fb-ce7d5765c599", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:7b489e69-0934-5a83-af77-c5ef4064e01c", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:0a52a66a-ee83-50ca-88b2-9257a829f90a", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:eed108dd-3e11-57d6-b5e5-e2af522f9528", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:ac4092a9-6d77-50cc-afb0-c29fec777f0a", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:872835d7-82d1-5c01-9f0d-201aa1b248ae", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:f60f3042-4a05-5f85-aca5-8110152c1de8", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:09ac0b1e-cc52-5b12-8cf7-98928d670a74", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:f274d878-e843-5164-be1d-a1304210d2a5", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-jcl. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:5d6430a8-15eb-50e9-9804-09cc4a447aed", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:90ba9a87-e4b4-5eb1-8b50-d6ecd4b5b81b", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:ea4f963c-8e40-5c47-90f5-ccfb5a6b575c", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:26bb165b-1e29-5436-9316-7900ff8653e4", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:004ecca9-a1be-53f7-a606-11b906334df3", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:3237a100-bd0d-53dd-9bfc-6bb05a7b5d20", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:8fe8b8f5-e8fc-5305-ac62-eb28016578d0", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:5d6946d7-cfe9-5dcc-a91c-db74b1465961", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:b031bcc7-02e8-5b5f-b078-620dba3318b3", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:4aa698ef-13f1-5fe0-af88-ec1b6807b31a", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:c23421c4-43c8-5254-9afc-659d43444835", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:1e51e538-8157-5984-8bfe-3cf82e287ba8", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:d8a59b62-f1c0-56f2-a0e9-f4c167e9dbf0", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:e915599e-c5e9-533a-bc76-02dd7ef22b78", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.8 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39-tuxcare.8" } ] }