{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:16904f53-442c-5327-90fe-5a0092ce46a5", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-websocket", "version": "5.3.39.tuxcare.3", "purl": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c6db941b-dab1-5be8-83f2-72ad578f5d9f", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:84a12b4d-37fa-5999-8a3f-9e2dc6fca2de", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-websocket. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:72beeeb9-6b8b-5c89-ba2d-a628205cc741", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0eb020a5-4f45-520f-8e79-b70f95dadc2c", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fc53c1cd-1234-5e4c-88c6-412f9fb82cdf", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6c58eccc-3cfd-5546-8949-3327eb8916b8", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5dee20e8-1df7-5ee4-9bb6-06928539b106", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:24f92958-4680-5aae-ab96-946b9932239c", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-websocket 5.3.39.tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:25050dc9-173f-52ef-91dd-b3f5d88ec4bb", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9694f353-e165-5e7b-b34a-b436ecafceb9", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3849373b-314d-5926-bdfd-cfe193e9269d", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a2f1a008-2597-5fed-b128-a8fee4cd9c05", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:df5df4ee-3d30-5101-af63-1c8d43646176", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:50050189-4ef5-55c9-ab07-aafe8f74fff7", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:21d71ad2-5522-5584-a958-428abeba6452", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8ed7d01c-b198-5522-bebd-7c2a63fdc7dc", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7a594f20-db0a-596a-b7ed-92c6cb67b729", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:62c858bc-caf0-58f1-9908-f83caa9421f0", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:da9c2f7a-cf5e-5581-bf9a-4a1b3e36e38c", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-websocket. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e545fb5e-9264-5fc1-9fac-c143798ca892", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b6a2b2c2-3b79-5108-9bea-2a325ee8f7c3", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fe5712dd-4013-5402-b7d5-c2fd19400e49", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4e07a068-74bd-5df3-8be5-b225a4dbf175", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:38372521-6011-52d4-a87f-87dcb4388e86", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7b8d84ec-3331-5f52-8c1e-81bd9594deca", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:04b4ad54-03ec-5644-a201-158f94a3fcfa", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f402b647-c5fa-5067-8523-c2c4490a0fc6", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ef329b04-40d7-5f81-8118-3c340e2dfcdd", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8e8f92d3-05b5-50df-99ce-d5a4a39e937c", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a4e91a9d-1586-5143-885d-93342b540354", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:56a88d08-b920-5bae-a275-defd3959f062", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bdc12bc2-cee3-59c2-ab03-f361ab2dd4f0", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0a703275-3041-5219-a5d9-aaf82202808a", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.3 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.3" } ] }