{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:bb7543a4-48e9-5f91-a6b4-2f22607f4029", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10", "type": "library", "group": "org.springframework", "name": "spring-orm", "version": "5.3.39-tuxcare.10", "purl": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1b28a9dc-f41a-513d-94a6-e8bf20112a17", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:39c8c81b-6a0c-5817-b94f-452c24d4e86a", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.10 of org.springframework:spring-orm. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:6414a4bf-13db-523e-8787-5ac129868c03", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:e80314ec-d24e-5e3e-af09-505d132795f8", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:90128236-b3bb-5534-93b1-d35cf2a92fe0", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:f00ddabe-29bd-5ae3-b0b0-99e18fa2fb9e", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:6bf46d1a-7975-54b1-bd9a-5e70a2a23de3", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:2d5b2227-658a-5e7a-9ddf-3c1371054ed9", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-orm 5.3.39-tuxcare.10." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:727ad444-ef14-5fcd-8572-3bfd3e07df77", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:d1f172d7-eace-52df-9935-2f14bd2c3bab", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:3b471b68-6dba-53a0-aaf3-74ec92fc27bc", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:9ad7b4af-9569-5689-ad0a-a378ae120598", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:058dd50a-bef4-52d5-84a2-98f32fb0deb1", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:9ee40fe3-f24c-51f9-8d9e-09ebdcbf5eaf", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:83ac39ae-1a67-5176-8d52-648bc07e1eb3", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:1aa61ec4-43f6-5000-90dd-88db54a44cb1", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:6088be14-20e8-5723-97bb-ae7e7b3ae46e", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:c1d89b46-355b-5c7c-9ca9-b7731bd451e1", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:9d28fb27-3148-5a0d-beb3-a94c7c5736b5", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.10 of org.springframework:spring-orm. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:89a6a48b-76d1-56e0-a2e0-11b760754da9", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:13f8d391-e2e0-5b08-956d-be2ee6afe5c7", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:de5dab48-9a5a-58e0-9392-1ff4bbd2d656", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:36ce0c53-ab18-5f1d-bca8-93efd69e7234", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:80bf99d9-75ee-5a8a-95c9-f50efcb3799f", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:321076b5-b896-5576-a6b5-cdf984ecf791", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:e8172d7d-f9ce-527c-90ac-00e06fa1a401", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:58f4f369-4a9c-57f9-a987-5bb208843149", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:079df48e-daed-5996-9278-dfb40ea4d298", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:434b5e1e-0859-597d-8532-f3759e4faf33", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:1e8adc5e-15ec-5bf5-a41d-bbdfca24a450", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:34ca7f2c-4259-5f22-8f6d-8344779e6baf", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:ee3b1807-e08b-5a0c-b349-11a099033445", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:5056ecbc-17ab-59ff-a4f8-c913e33ef42a", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.10 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.10" } ] }