{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e02891de-ea79-5f14-a77e-9f4a81dcfc52", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring-orm", "version": "5.3.39.tuxcare.1", "purl": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:94f109dd-bf8c-5e4f-a23f-de88613882fa", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:21242068-e610-5e38-abaa-086d0301ba9b", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-orm. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:66b834ac-cd67-52af-b8e7-623b15eba5cb", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0fc5d04a-2968-5813-a1e4-f3c59ed23bb6", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0af2c605-bbca-5f3e-b4f7-65cfcff0d9c7", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f8006d56-c064-5a58-b085-7e57cd7082a8", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:955c311b-88da-511a-856f-cd7d3c860478", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:82a7942b-670e-56e9-8829-a4ac1a644706", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-orm 5.3.39.tuxcare.1." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8c532b8d-15ed-58b2-bb82-4610bc54c0ca", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3f0919cf-9241-5041-a9b0-c80d1fff5e14", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ad28c54b-e32d-5637-95d5-1f608427cc97", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ce29b658-2f6c-55b6-a6d0-f2bc10b21152", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c0215ce3-5fd0-5ee7-9d21-bfe0f0ed86a9", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4e4bcaeb-e089-5876-9349-f84def41aa62", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:97dc3792-bda2-533e-b8fd-9c0da9fafe54", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f525ae18-fcff-5af4-b71c-5880b4386f94", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9076a03b-a3aa-501c-99a6-e1049d262c60", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f87c35a2-50b2-5b78-ab85-fd8613495f68", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:abe95a26-371e-50ea-ba38-570b6660b02f", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-orm. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c21806b2-022c-5c1a-a6f7-9647dd1bd991", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:aa22525d-bd92-5ab7-be4a-43508b8cae53", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0ab67449-ee9e-527c-8705-d79e589cf40b", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:59e6ea4a-cc11-511f-8716-04447663212b", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fccf0fb6-2fd7-528d-a935-10ac45e442f1", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b68e382e-2569-5706-a1d0-733bc653da12", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:58407720-18c1-57d4-b596-3e943f3e4725", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d9bf8b6b-0679-50f3-a5c2-7fdf05dc27ff", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b5882256-f017-50a0-9302-1407297fe9dd", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:658b1601-99a8-5c14-8a64-1532beaf4247", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8aa5b751-4b1b-5f5a-b65b-e92b743c0933", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f28aac8e-4b4f-5c61-9fc7-0a8a58a5ed75", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:71fb432d-61fb-56df-9e91-66f21bfda421", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:47630b06-2455-54d0-8e7f-9061edf8412c", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.1 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-orm@5.3.39.tuxcare.1" } ] }