{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:4da73c19-31c5-562b-9786-f01bbada296d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring-jdbc", "version": "5.3.39.tuxcare.1", "purl": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:5cebbf42-81fe-5b74-959f-9d0848b8e944", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7181c3f2-723d-54c5-9293-b3aeb5aa35f6", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8935df8c-c270-53f3-a40e-6211030c482a", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6a31649d-5920-5843-826f-37cae1d4b4fe", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f45a057d-cbee-5770-a89c-3460d620ba16", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:538ab1eb-20a0-51ae-966d-cb0f1a597657", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8a18cc04-ee3a-5163-a5b7-ed18b7f3bbef", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9768a057-aec1-5ec5-acf5-58844901d20f", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-jdbc 5.3.39.tuxcare.1." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:52e4d78b-b77c-5e03-aca2-e24795e2beaf", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2da1b174-a5a0-522c-a50f-40598e67e362", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:61e26fe6-8a0f-5cde-9346-2971cd5822c0", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cbdfd521-efad-53fd-9ed4-089bac261b73", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a85d2fe7-9fa1-5e46-bfa2-2ce706e44bd1", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cdec30f8-84d4-5e98-be9c-7b5c9270c50e", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5c21f778-1de8-5d1d-a30b-eb1c80dd8cb2", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:93a5ad7b-798a-506c-96fe-1eb70fdd4ec4", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:984cbe32-b6d3-504b-99d4-b6f25c33b9c8", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2b2f0fb5-b145-5a8a-8182-451727fc85eb", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:43f8fad7-c83a-5fb9-a964-d051ac007442", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4d96a294-0e4c-5a31-9ee4-6bff7c10ab34", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b16c012e-39a2-5dc9-aa36-49ce67d901ac", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5fbd8774-1d28-5f4c-b593-79ae3a42f299", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7725d5e3-9645-52d7-881d-388193a947e8", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:dbfec1da-b537-5c91-bb70-3b765504ce2a", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e574aec3-26be-5082-b25c-38e4b4dae29d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b474b8d0-b26c-53b0-a333-e07aed01b278", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:235cbad1-3d3d-5c35-aa13-74110eb4ed35", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3b44927d-6480-5299-aca0-af0e71618c82", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:66a1e4c4-8893-52eb-b4e5-d769c79833ad", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3f12f3a0-9c77-5a30-b347-7eead6806c27", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c31073f0-5c94-5ac1-9a35-a14111c2fef6", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:37164e68-a2a9-5c46-9a97-596d6a20c412", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6bbbd057-f7db-561c-becd-39039f8a4b68", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.1 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.1" } ] }