{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:12ce73c6-5997-553f-914e-36c62560f0f1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-jcl", "version": "5.3.39.tuxcare.5", "purl": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a90a163a-96ea-57d8-8478-059725b9a98f", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e728adad-7090-5eb0-9a3f-882e611b36bd", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.5 of org.springframework:spring-jcl. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:0d180cb8-d7e4-55d9-b1eb-c00038ac4517", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:6a8880ea-ca5e-5b41-a8be-ca1a74a6f4e5", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:45d1f948-67fb-5eaa-ab29-de541c70725a", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:1133971f-2623-58c0-8f24-ad5ac5e38dd3", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b4a54afa-118f-588e-9ba4-51940f4ea199", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:c43b3469-a789-513c-b8ca-bdce02af695f", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-jcl 5.3.39.tuxcare.5." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:477603f4-b8bf-5851-ad7c-f6622ba024cf", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9a0ba6fe-0062-51ab-803a-b2a594c83a1d", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:afba164f-04aa-5150-b1b7-dc1d8c871df4", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d0b80333-b0cc-536e-9f56-50c5c47549de", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9959102b-dd79-578e-821d-a1fa1c3cb45a", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d57b9e04-71ca-5d81-a02a-07ab881d52b6", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:c0d50086-aaaf-548d-80dd-98983f35c016", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:50d2fac7-26ef-5693-805c-5608cb1fd5b4", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:be375ec7-ef91-5d20-a809-caeafa90a60f", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3b0e71e1-e799-5c4d-b5f1-c8778de8050c", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:01dcbc66-59dd-5dc3-9a9f-ac2c11091cac", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.5 of org.springframework:spring-jcl. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b79d8fb9-58b2-5f85-b98a-8c622d11f854", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9bf18d28-30f9-536e-98bf-ea7b511df2c0", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:254312da-449b-57c0-9d77-cfae4baaf9ea", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:425fca68-87ef-5f58-b666-d50d26ec8237", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3da5b54e-ecd6-5c9e-b3bd-ae9bc010b0f7", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f155776f-3a1e-590a-b890-90eea61dfd9d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:05d00748-debc-5e2e-b457-dbd63d463269", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:20cdac9f-a1f2-556d-804c-4f7152d0fb3e", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d6f55ea3-b0dd-5fef-8a4a-1d57ae21d076", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ee83e39c-e838-50e4-9ca1-0823f481819b", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f8167aa1-b361-58d9-8137-9300633e3456", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:8e785db5-c22f-53dd-8cca-9a813eb7c959", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:fcc99f99-7430-544f-a039-4a6e312c9a7b", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e45fe384-bf29-578d-89c7-75b68ac455cd", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.5 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.5" } ] }