{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:48d75c7c-b5b5-5a49-a99b-b5baee4482b8", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-r2dbc", "version": "5.3.39.tuxcare.3", "purl": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a8a72a70-1b10-52c7-aa21-74f908571329", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:271f5e52-e7fa-5efa-9637-d94806991ca3", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:079f8fe7-0566-5f56-aa63-a387a0eb9672", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:53053841-860f-5756-9cc4-7e0284f7334e", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b6031d9b-2d89-5d21-bec7-c5e0f06ef30a", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:001ad9ff-f2b1-5ab4-a41a-758c2030efee", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3e8c25cd-7a1e-5b9d-b98d-9c65f968f8b4", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2270af3e-9339-51fa-af0a-a81af9e52406", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-r2dbc 5.3.39.tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:116c8044-6946-549a-9e35-001dc5063911", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:524ecf48-d507-5b29-8856-7e4065e61c72", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ac6c7440-25b6-5060-813e-40b7497438fb", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:99e4bba0-30f6-5e9e-bd0d-1d6a43f62e99", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0fdeec74-1bad-544f-af87-a0cb83cafb6e", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4a1c3091-3f83-5b30-9aaf-4c1efe70751d", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f7e75549-8be4-5c0d-b50d-050077843be5", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:eca5cc61-c7fc-57f1-9e75-88b0df4a7f01", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:107ed504-bd7b-5e5e-9651-c1d92161b0d9", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:23e79b69-e715-58ed-9d84-599a9ffe8ff5", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:40fc7550-8c01-5f4b-9c66-fcb99541104f", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ff6aaef3-610a-5d31-91ee-cd8c1eef68f0", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:eedfb507-5acf-5a33-a6cd-73f1817854d8", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:520ebc45-229d-5b98-8c66-ef9ecd52a06c", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7a2ad0c2-51ed-5028-80f0-b7a110726f8e", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a2975e4f-5d19-5c01-8ec7-78e77fc22815", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2095869c-72b1-513b-a556-43b514e8c259", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fca6184f-1690-51f9-a0b4-9b8017ea9713", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:586e6fc2-33e4-58c5-a7fd-da43e5e58dc6", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ab2c7d69-4a0c-5bff-a333-81aca0d9f6d8", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b1946e1f-ddfd-58c5-9912-2028545205c8", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b5d9cebe-e594-5e92-a900-162faef58625", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:67399d5a-141d-5f63-94b4-6f8473198d4b", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2753d948-ff78-5aa9-824f-af86947b1280", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f8770ba2-9a26-594d-a531-91b248e698d7", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.3 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.3" } ] }