{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:36bb1be8-9c84-5b16-a9a1-e1ce77a79844", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-orm", "version": "5.3.27-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:e8b48ff5-8412-5c18-bcb7-2ddb65791098", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:49f4c09d-ef3a-50a2-89f9-3197cccb02da", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:536f0b4f-6ad0-5ebc-a557-72914ba8cfb6", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ad41b868-5f1f-5594-add2-89520c5c0f6a", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f6b6de46-1063-5b12-b949-767355b8d45d", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:adc83419-7d21-5dfd-82ed-a40af486e95a", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3c4a24b9-1ea4-5f61-afb9-a79bc94e6a20", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:be00c57e-7eda-52b3-bad6-8631bc79fdd7", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c1f39d17-a326-58aa-8175-665ece575468", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e6e1c59f-48b6-5bd6-97a0-13fba8c59f94", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:279ef91f-ed78-53f7-8a22-75c1f07cc1fe", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f5506ed8-fdaa-56f9-b707-befb29f3c990", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-orm 5.3.27-tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:af4e570f-7c9b-57d5-8164-6a6fe727b2f4", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:93505cdb-a20b-50b9-901f-416649dd9378", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f7fa51df-15ae-5e0a-bf2b-b68cdf5f0969", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:659b9705-4235-5bad-b895-81d414888422", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:37f0f446-b864-5be4-8ffa-5a53fc4d18eb", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1feadb93-eaeb-5239-8dbb-f2482d53fc4f", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:81840679-c000-5688-9d35-519e589313af", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f28b3994-36d2-58c9-a382-703cb0654db7", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6d3461d1-bc45-5325-9a0f-b6a8ecffa1f9", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:87d96986-1b9c-5af1-bc0a-105412cf443f", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:929d1444-fb90-5318-9140-da37754e7718", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.27-tuxcare.4 of org.springframework:spring-orm. already_fixed \u2014 The target repository (Spring Framework 5.3.27-tuxcare.5) already contains the fix for CVE-2026-41840. The vulnerability was previously addressed through backport commits for CVE-2026-22740, which applied the identical doOnDiscard cleanup logic to prevent resource exhaustion from multipart request processing." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3a359b44-427f-58a8-8b06-2ab81c7bf957", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:81c335fc-01d0-5a55-814f-693810935ce9", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1fbac974-fd69-5f51-9d13-31b45f16c20d", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cc7641ee-68a7-5248-bdae-7f10f506f738", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dae7ebb5-b3de-5f61-bb1f-bbbb955bd287", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6021dbb6-3e47-53e0-8920-7e08a9da99ad", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:041c5218-4aa5-5977-bf89-7f6f2db91187", "id": "CVE-2026-41847", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41847 does not affect version 5.3.27-tuxcare.4 of org.springframework:spring-orm. already_fixed \u2014 The target repository (Spring Framework 5.3.27-tuxcare.5) already contains the fix for CVE-2026-41847. The upstream commit 07ba95739bf4451742e4ee6b4d4b2d0ee5f701bf is present in the current branch, and source code inspection confirms the vulnerability has been patched." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9d454ca8-6ea7-54f1-b011-2e0369d0245b", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:425fdfcd-db9b-56ab-bdde-0c091c161f9c", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dd3b3a5e-b4fe-55c6-9eb0-5c4a905113aa", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c37d860d-8241-5d0e-89fd-80b406446b73", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:77dc4331-a2b8-590f-bd76-a293f18a48e1", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:427213ad-efe3-583a-9699-be655638da49", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2a282d5f-e20f-521a-aae7-2e4c529e0d8f", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.27-tuxcare.4 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.27-tuxcare.4" } ] }