{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:be12175c-8068-5036-9a33-a8713c7eea93", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-websocket", "version": "5.3.39.tuxcare.4", "purl": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b863384f-9cae-5529-a751-2c13ca68b153", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a271b4e7-5f1b-5255-80bc-a2a1a2581cd5", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-websocket. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2f0f45c4-f421-56b2-8d52-405d793ca45f", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:749d8f6b-4443-5dbc-90c9-1faf3e65c885", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1adbb9a2-ebbb-59ec-9855-6cc7d5a3c5c3", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f24c5cbb-3602-5a31-a522-09ac7cfec0a8", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4b25a30f-1c0a-5167-a27c-a7bb51a19103", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d680291e-d3af-5be8-aea2-c1b47135ccfc", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-websocket 5.3.39.tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d6ae47d2-00a8-5019-a609-be04bc451ccc", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3507534d-4725-51cf-9fb6-df3b7f388057", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:739762e0-2f0e-518e-8f7d-e5ae289f7ef0", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:79b5772f-006b-5fc1-940a-3201519c8c41", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ce431167-7947-5246-a56e-4b6dde3a8aa1", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9839d39f-5b46-5ab2-a39a-144fba85cc02", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ec34aea2-fd16-5628-a6c7-952215179a58", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8d8b644f-d91c-5a73-a9d4-57cc1387c6f8", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8fe8a6e0-109e-591b-b70c-25b0432294ee", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:18a02fe7-25f2-57d4-8223-329203ab30d4", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4101a1ab-423a-5bbe-a0b0-a0af545f3f98", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-websocket. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3490518d-cf13-543e-8e61-20c2d3ba31d1", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5ab29742-6059-5711-953c-d0ed602c4753", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f3e623bf-0870-5cd3-9d13-d2d10f51a734", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5a44ba54-04ab-5843-bbbf-58ae23552d10", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8a52ca01-829c-5f89-ba21-2d78f5d0e64e", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b975745b-6fcc-5afc-a80e-c8a77ce56a6d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:86f6456d-133c-5ecb-9b1e-6733808cead1", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2a0705c1-9a09-5f97-a546-30a2f8dc5a3e", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2e09da44-7cef-5a77-b0ad-1ead73ff42c2", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:50622a86-6f23-53b4-ad28-42c845eb5263", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ec6767ff-3968-5e8f-9ba9-71ea03846d2d", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:65956bda-8a6b-56e0-a2e3-d6b051a5b98f", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6412fc39-7e8c-54f0-a8b7-6aa403323311", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b16e47b7-5e39-56b9-b8f9-173179a2b3ef", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.4" } ] }