{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:7d17c634-8d9c-5e0b-815b-e8cd4b0f29d4", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-tx", "version": "5.3.39.tuxcare.3", "purl": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:8ccc07e7-613b-55bb-b980-1afc2ec4c89c", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c0350d78-ea82-5709-a773-be80c845dbc9", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-tx. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:537754b5-1053-555e-9225-d11c7b236f25", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f07b986f-ed27-54f7-b799-c49cbfab80b5", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9e3fba77-6f40-5eaa-bbed-8d6d0d104164", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:550c1c5f-aaf6-5e82-83d6-09436d00343c", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6838ee41-a302-5d1c-954b-57c90aa309b6", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5c21f41e-c8e8-50cf-9fb8-ffde42c4f658", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-tx 5.3.39.tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:060bcd6c-846e-5abf-b818-660dbb1c6eb6", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7df96878-b1b2-57f4-a7da-ec05f667ea1d", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:33865c08-5f91-521c-8b90-d29fb75e370e", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d1e5945e-3404-5770-b0e6-b3ac2db42442", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:48929640-95c1-5956-aaeb-248f3df7edf0", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:59a14776-bce6-581d-8e10-043f6b939a60", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e551032f-e956-58d7-aa44-fdebe5260702", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a26d85f6-ea09-5551-ad3b-0fdd6963aa60", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4d6e30e8-07c7-578a-b3ac-4c82d494ec21", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:770a0904-a336-5e63-a8ee-0654d71c8b2f", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d440e702-1783-530a-a962-85a2c381eeb4", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-tx. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f0d34df8-da1d-5a9d-8e35-2d2d82cdc972", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8b2f8421-17af-5af8-ae24-36ee130a3f41", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3befab30-27c1-5cac-8852-da313cdb49be", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:08c8f7bb-ea9b-5b39-9795-0411c1a7d5c6", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9779997b-8d9e-55b9-a720-87e277a279b9", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dd2cf258-ab00-598f-9625-143d876a4f87", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e3846241-ad81-5f2b-a795-287ec2970a27", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ba1b1904-1618-5323-b18b-269c1d49f9cb", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:05b0f51c-4e72-5a0c-a23a-fa54e9e407a3", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2ba91f1d-ad6c-5423-b8ca-6b841d40ba13", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0b8b9201-e5c4-5575-820c-4b6016181c62", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:edca7042-0dad-5450-b3ec-4f3e1059a355", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:80f4f90e-42f5-5df9-832e-a2a44fa181bd", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:88a157a2-2501-5f68-9207-a652a3b4bd0d", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.3 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39.tuxcare.3" } ] }