{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:832dab39-41f4-52b1-8cd1-d4b374f01538", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-jdbc", "version": "5.3.39.tuxcare.4", "purl": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:bc61d4e1-f9a8-5304-81c7-026fe3155dde", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b7008b13-649e-55db-8754-09521946ede6", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f5f53c32-7c51-59f1-9a9b-3ba9599bb68d", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:69e68d6d-f82a-53fe-b838-f44f970429c5", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:03b1d5dd-d53c-544a-97f8-0402290744f7", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c4fb63f5-2152-58cf-b1f7-9cc8529d5eef", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:015f5995-5af7-5a1b-b688-89eb1f612cc2", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1ae21c73-7ec5-52d0-bc74-5b83d64f9c5b", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-jdbc 5.3.39.tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e77e970b-6f5f-515f-8482-1c4443180b3b", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f0412894-202b-52bc-ac7f-394cd0357e25", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:76e3f5b4-5835-588b-aeca-6849b7e9dd2c", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:81599a14-764a-520b-9355-a569f760f7a8", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b31fc994-f0f9-5a1c-b314-c4437456fa24", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b8a933ab-ae0d-5419-b5b1-63547727ee09", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8867c818-2c85-5ac2-b71a-2896f946c18a", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:78213b86-ecc1-5957-abbb-0dd2114d81cb", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8cabe33a-a192-5910-9ad4-d9382dcd1570", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:37c1c78d-0676-53f0-9a9c-e43edd7cda37", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9667659d-7dd0-5434-86a9-0a4d97b4875b", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:08fdd0f0-198c-5438-9c54-56b0abec9ae9", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:997d2ac5-29b9-5722-9671-5d757f1669a0", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1332d006-d22e-53f5-b286-bccd84b60084", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e1b9e7b5-a7d5-5c36-a724-7dba489da2a2", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ae1a2531-7901-586a-b0ef-447d38bae972", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:04976513-f855-5f72-a44a-5798406b0163", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:683e22c7-d240-5b8e-b181-0f2b135ca982", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b5115154-955a-5072-bc46-a722adc89e9d", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0dd27687-060e-57bc-9a21-866e1e51d52b", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:609b5550-888f-5b4e-a090-af7931302f6f", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:04523a12-c34c-55f8-bca9-5d4abf934e04", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:eae6adf0-3d9d-597a-a0fa-3b172b03829e", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bfe1b736-2982-593e-9c69-ed0d855bea7f", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3bb49f95-29a9-5c57-ae62-b5c581d2b2ff", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.4 of org.springframework:spring-jdbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jdbc@5.3.39.tuxcare.4" } ] }