{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:222481bb-b2ad-50e0-88f0-1fbf4c7dc755", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-jcl", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:6e5f933c-0d19-5cf5-8a84-a9b36768193f", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:37373a3d-6b1b-50b7-8c54-98a433ca40a4", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-jcl. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ec27fbeb-eb01-5880-95f1-e2f4e64078aa", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:bc0f090a-1711-50ea-8c96-608f30262b86", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:afb1baaa-35ec-50c6-b1bf-a422eba17b5a", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3130752c-14f3-50d0-ae62-8ebbabe0145f", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a675dac5-038b-57ce-8f7e-a5bd66e03db2", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3d108460-2679-5b13-b142-86a06453732b", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-jcl 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:05e07423-7214-5ec9-ac59-53a5e6d0d5d8", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:19b173cf-b81a-56b9-be6b-7981ddd6b4fd", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c0310805-3530-5e0d-8c27-64902584a43f", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:199cde14-c089-5a50-ac6e-0e7566e975b1", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:64514231-c8a0-54e3-8eff-cec2e16f1c08", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0929de17-bc01-57e3-86ac-af970ba7157b", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e3d3774c-7ecd-5bb2-9b62-e9aacc1d13ca", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:67df2819-3048-529e-ad5d-770773e2c844", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:59c00b79-3760-5c17-b44a-052d2a78dc59", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:22a2e0d9-895b-5a00-bc53-c0c09cbd54c5", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d4d29370-f7aa-5765-ab03-55472f25b671", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-jcl. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:714f9be9-d6d6-5667-82af-06b6645599a0", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:670bd7ce-0840-5663-971b-89f50aa613ff", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a79eb020-c412-5804-b659-ea71f9a8324a", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4b996296-6649-5b5e-8844-83cd65d0609a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9978f305-e784-55f5-8c33-82ac269a431d", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:50df4466-75c3-5784-9a47-ed793bdca9c7", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9e893dda-f38c-5214-96c2-55cbfb4d6bcb", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3e44ebdc-879d-5606-b9c9-7208f0c906a2", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1b104e4e-b91e-5de9-a05c-f8ef2c25770a", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6b8e105e-df6b-5a33-8617-e886391296d2", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8d55b214-8786-536e-a428-3e9475cd1658", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9cb94e56-6120-5f0c-8b2b-01f422e467ff", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1bf2db6e-dc89-5000-bef4-e1e563fa4f5e", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:80b82005-bd27-558a-9cf4-1a91380a28d6", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jcl@5.3.39.tuxcare.6" } ] }