{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:8a2e4345-59c4-55a7-b424-14c78feffba4", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-messaging", "version": "5.3.39.tuxcare.5", "purl": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:84f83a60-0abd-5989-9b20-6c5c3356d367", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:75ee83c7-ac61-5dd5-baac-925b9258dc3c", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.5 of org.springframework:spring-messaging. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:5768fedf-eede-55a7-947c-c79796a04773", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3ed6694c-fa99-55ad-bcd0-9b3a8edd19be", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:5caf9d0a-2bba-5d8c-9940-50f4c4db6e7d", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:01119afa-ea2c-5d39-9c77-7e68b47c6fc1", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:1fb9b86f-0af8-5435-99fe-f39c2f43698e", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:83263f3d-8529-5bf0-8803-d11bf20763ff", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-messaging 5.3.39.tuxcare.5." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d7cd541e-6ee2-5323-932e-044785345218", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:8ed3db3c-b35b-5b83-bd4e-e4fb0cc5390f", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e972c9da-165d-5798-9070-a2ed364e9296", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:0f721aa8-ff86-5856-aacc-f67ca698f4ee", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:1a00e860-5df9-55ad-9a43-97ef92a62a9e", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:466f6a9a-79b6-5779-9973-a343c8e2716c", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f4628f5d-22ef-5706-a5de-00ac72867484", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:eb0e7700-9546-53db-bc65-6a0e8236d385", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:eaa8f6cd-6633-5626-83bf-3e9eee6bae85", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:859e4b64-e3f2-58c5-a396-d25545620088", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3e7b5c52-5a5f-5345-ac91-5011d7a90ec5", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.5 of org.springframework:spring-messaging. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d8ff1c97-febb-5269-929f-5f8c8a9f9ff9", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e487688d-ebc7-5172-bf05-1a104cb3ee68", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:308ffe7d-ed26-5020-b311-e9853f012789", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:43b8ce75-7322-5206-afcf-24744ac551f6", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e664686b-992a-55a4-92d4-dc59d9981cbf", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:7558d278-3128-5305-9e85-b648b39b0339", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:99820542-f418-56a8-8076-35aaae2dc634", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:4d7c2db5-521d-53ba-86a9-2d98b6896eb0", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ccbf1524-6e01-5b15-8959-3b7e90f5de1e", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2dc79960-cbb3-53a3-ac27-2549ed343a64", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:999673bd-2cad-51ef-acbe-eff4398c68a2", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ad1ba684-db60-5d5e-8cb8-791ebe1a8ca4", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b08726c5-3ad9-5733-8afd-cc93681640d5", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d64f5ad9-9587-54e9-b2b3-c459a8683645", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.5 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.5" } ] }