{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:019a61fb-87ad-5b09-9eb2-aeeca26f925a", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9", "type": "library", "group": "org.springframework", "name": "spring-jdbc", "version": "5.3.39-tuxcare.9", "purl": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:e9cd16d8-e712-5fa4-b5d8-54f101775bfc", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:2fb0d672-044c-524d-988b-4057caae099a", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:8bbe39aa-a8a5-5dbf-a0c0-10016bc2bdd9", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:83e16c6a-0cf3-5f32-8104-73a4e7ac3aa0", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:58a813e9-ccb9-5bf4-809f-62abba48fb6c", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:5f1a4899-f35e-58f2-b9fb-d16333fbc3f1", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:1ebdd431-da8f-5eaf-a207-d28f857154e6", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:5ac2a37d-51ae-555c-80be-b52eec897942", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-jdbc 5.3.39-tuxcare.9." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:2c188b32-60a0-5d13-b68b-b8627f1b6f79", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:b11d93c2-5c52-5d29-ab6a-75fcb2f576eb", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:07af2cde-8dfd-5339-9228-90bb0aeaef9d", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:afeaace9-2017-57ba-bcc2-571eeaeb2c0d", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:53b865bc-6086-5cf4-8e33-dda9e0ed521b", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:48acb774-a127-5ca3-9e4a-14582c8db8c2", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:bae50f2a-3ec9-5958-a4f8-bde36e12a3d7", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:149b9d8e-522d-52c9-ad4b-87afbc85e1dc", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f0a13a48-983e-54a4-9f12-d5a676b99b28", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:9a6f8717-0789-530d-a07e-56010121c418", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:0f19cb10-ae70-535a-b683-6cffabce194f", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:024332bd-dbb4-573d-9096-10df13b3aff9", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:8a1c32fb-ed46-583a-93dc-d82e15323c6a", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:b3cea8a8-68fb-5b35-9e71-2eb1a30ee5e6", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:710e4f7f-106f-56aa-bdba-3d2c632fcf5e", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:fde16aa2-f947-53ac-8b98-5d4297e3270c", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:e1b70603-cfa2-5d2a-9271-e693fed81a0a", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:8fdb7b43-0357-5ba0-af9f-e931ea57727a", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:64f4c32b-611e-55cd-aa4a-0a4bfde1e810", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:4ca9a9d8-7fc8-52a7-be3d-1ba4559fe36c", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:ba7e6531-6075-52cf-9b5a-d246d402e006", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:58ef4528-2573-5f73-9d12-b878bdddb0ed", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:15d7173d-f95b-5456-aef4-71e5cb3c6d1f", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:85dc25e5-b01f-58f7-8070-e71ba963d50a", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:69d75b00-4a05-5e00-be25-723782e7301f", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.9 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39-tuxcare.9" } ] }