{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0dc0733a-c388-5041-9b72-9c5c873179c0", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring-jcl", "version": "5.3.39.tuxcare.1", "purl": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:15b53583-74ad-54cb-a5a4-b65b9720d189", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f77eb41d-b4a2-5241-8de4-7fd9194095c6", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-jcl. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ea8db674-2c73-5824-b44a-4584f157724f", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a50845c0-62a2-5f57-af37-49e9e78257d3", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9e3799b5-3143-55a2-9100-219ef8544de4", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:59144296-a6d7-5211-8566-5334160ed1b3", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e8f5d2e0-28f8-5e59-8887-077c2604988f", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:304eaabd-934a-5757-9345-2158b9ff6345", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-jcl 5.3.39.tuxcare.1." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6d9d6fd6-f9a0-54d6-85ef-443a813477e2", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:71e3008d-758c-59c1-8f16-b921d2983eb2", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ff6c9dab-d5eb-59be-9fe9-638acec2f2f4", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c40050d8-1150-53e0-9156-306fdd410ab0", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a7461787-0e63-5200-aafa-947918d38716", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6fc6a121-fcab-55d0-8e36-3b5059dbf999", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:90b4cfe1-a64d-50f8-a9f0-99e46e407b28", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6cf5b7eb-076d-5f59-824f-568e6b33c6b6", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ca0b655e-8060-5995-aadb-1e7d0f6499a1", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0f4dcd49-075f-5b2f-989e-f1a9e0684fa4", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cd2d9608-bbb6-5043-afb7-762209dd8a99", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-jcl. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:28b2e403-fe61-55df-8156-62fd61db6694", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f5e3c48a-7707-54ff-b1f2-64011d59fc72", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:65acda18-5ced-5554-9e7b-320b48861bc0", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4e0f3c24-fb01-59af-b8ea-1dbce624f41a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:72c02ee6-67ad-5310-8438-814b543611d8", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e47588b9-386c-5cac-8d55-2ef214c6fd1f", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a5063125-eb1d-5c10-9cd8-ec61add10473", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9eef3390-6cf4-58ed-b364-d6da19059c1c", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d5c98b71-95cf-521b-9ac4-c509cca28ddc", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ecec7000-7aa8-5d6e-ba0d-73718dc3a022", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b107cdcb-cba3-5752-a33e-a9baece92bb9", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9a0216c0-eb8a-573d-b142-e6cf0302bc8a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5bef0919-7872-5625-9d63-95b4d19cf3dd", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:64b8d8a5-f44d-5028-9d12-ae91b4e781c7", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.1" } ] }