{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:fb497b40-f642-5939-9c8c-68025cc05ee2", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-jcl", "version": "5.3.39.tuxcare.3", "purl": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d0debe0b-8560-5205-bb23-efbebcf0b8b8", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:56eccb5a-f811-5811-ba4e-2e1de9940718", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-jcl. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9f58a00a-ea26-5268-8440-ba60ec437481", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5f26a91a-4273-5346-b9af-46e67224afa2", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:82cd95ed-82ce-50af-9adf-c2d7057c1200", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:334f8ad4-283c-518f-9678-a33f93d31dea", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:60a5a4df-6358-5d26-a6de-58431f6b8dbb", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bba21858-dc17-501a-93e5-70381bbdaa72", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-jcl 5.3.39.tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7c262189-2eae-565a-8794-f90e61f6a6b1", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d2c96d7a-6ea9-5057-baf8-48c06a701cb7", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:97ab1a28-c496-5579-abb8-4d878a1bf0ba", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:977c4686-b101-5fc8-b802-b3463fde5357", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:20be424f-de94-55a5-96ec-d66b9426f968", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f2a3d902-d65d-5939-8345-fd46127a5163", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:70008ba5-91a0-5658-b797-1e4c3014004a", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8f389609-5084-5748-b12f-0b651c75c1a5", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5e07f227-dc2d-5951-b9ae-ef35f9f01e42", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:31f9e966-98ff-5d48-814a-f278ba9a3414", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2192c113-5d02-55e0-ab25-7e30cf0110ce", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-jcl. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8e52f6cd-424c-599d-bc53-ffc710837037", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:460aa50b-363d-5ae7-990e-9c3a47b9238a", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:49701810-71b3-5750-ad38-9e7b1161c576", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:51e8af0b-ec48-56ba-9555-88d02307fc6e", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ff083547-9f9a-5acf-8add-524fd7d41316", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b36d3630-fc8c-5337-bf9a-42016b080f02", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d74fd62c-1f58-5ca4-aeae-e01752a87e7d", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c20d728e-0834-5c2f-b294-07e0dd1bc1b7", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:89f071ad-19eb-51fd-9d37-60c20615d1fe", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:41cd0918-1b87-5001-8630-706261acb787", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:93a4c020-dbc5-561a-bf4c-2a0e4d2f3aef", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:362f0ee6-b6ff-5bd1-a6da-402e03a9bdda", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3bac7d72-5c4c-520d-b02f-1a10c358c7e2", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e0f75cf5-643e-59b4-9caf-0835b46372da", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.3" } ] }