{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:572dbca2-a3f8-510f-813e-8e2b68b60d77", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8", "type": "library", "group": "org.springframework", "name": "spring-orm", "version": "5.3.39-tuxcare.8", "purl": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:64a5daca-c1a7-5a3d-bda7-cc10b123873b", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:e87c8655-f6d8-5eab-baf5-999cd8f12e1c", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-orm. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:6b554626-72f7-5b62-8d96-24b30e7c31da", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:193806ee-bd1b-56f4-aef8-f95921af50e6", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:e91d3dac-889d-5310-ba38-44ff680b53cb", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:3e92c768-44e8-576e-9800-9163cf86a375", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:a4ccf152-de58-54f1-9a08-8aec9dde1008", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:77cf844c-0b92-5e81-9c0b-fb1fdf431139", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-orm 5.3.39-tuxcare.8." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:c604f839-db0e-5f63-a618-6876b93354b7", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:6767a390-fd01-5621-ab8e-b7241a2e88e7", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:16ee6f1a-0c0e-511d-8ddd-65c9c8754238", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:fccf07dc-a799-56b4-8adc-b0438bfdafc5", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:4043668e-36bd-5458-9390-0b4e648a92cf", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:e630a3ca-c493-5d22-8c96-b105c2099000", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:b92617a0-264c-53bf-9471-2ce343e6483f", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:9c2d98d7-e2ff-5963-b4ca-0a1a14cb9ab6", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:df7c0eed-2e33-584e-a027-bf463032f1f7", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:b8020626-827d-5197-8745-0262f91507c0", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:ed98764a-91b1-595d-8774-f91d656200dd", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-orm. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:bfd8678d-2a81-5483-9dd3-74b186d288ae", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:84b97d60-b8c6-5ae9-aa12-6cf2e46d3978", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:bf9da381-c0c2-5db3-b5f4-9193bcc489d4", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:dd96ee02-2d21-5c24-8f33-2277a8b48d9c", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:3ac91cee-24ee-5200-82af-462b45e596cf", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:64d914af-8ad0-5312-bb64-49c9022dd293", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:4683ed6b-a756-5400-b2eb-798804c5a03f", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:3516c5ca-45b1-5745-9cb6-54c0556f8d0e", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:87636631-b0b1-5b6f-acd2-b275fdd05b06", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:44124288-42fe-568a-a075-2fb83fa9d1d3", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:fcce58ad-6d7d-5f2e-8b02-eca7f4ca7656", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:6139062e-6471-5990-bdea-7965e1c78983", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:bd91d733-3186-5b0e-adf9-05684ce8fe34", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:a3b98f6f-52cc-5f30-9586-0cb59cf028b8", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.8 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39-tuxcare.8" } ] }