{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:07a5f1b9-c1ee-5bc9-bd98-f05f8d941b69", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework.security/spring-security-saml2-service-provider@6.3.10-tuxcare.1", "type": "library", "group": "org.springframework.security", "name": "spring-security-saml2-service-provider", "version": "6.3.10-tuxcare.1", "purl": "pkg:maven/org.springframework.security/spring-security-saml2-service-provider@6.3.10-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:48f1530c-1fe4-52cd-a61f-a1e7ba11a180", "id": "CVE-2026-22732", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22732 is fixed in version 6.3.10-tuxcare.1 of org.springframework.security:spring-security-saml2-service-provider." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-saml2-service-provider@6.3.10-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0724f68a-2b06-5ea2-aabd-2fcaffe06949", "id": "CVE-2026-22746", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22746 affects version 6.3.10-tuxcare.1 of org.springframework.security:spring-security-saml2-service-provider." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-saml2-service-provider@6.3.10-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4002c2e4-a076-509c-862a-6df101884cdb", "id": "CVE-2026-22747", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22747 affects version 6.3.10-tuxcare.1 of org.springframework.security:spring-security-saml2-service-provider." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-saml2-service-provider@6.3.10-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f23a2e5b-d785-55a0-92c8-7a88a55992f5", "id": "CVE-2026-22748", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-22748 is a false positive for org.springframework.security:spring-security-saml2-service-provider 6.3.10-tuxcare.1." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-saml2-service-provider@6.3.10-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f8c171c4-6f34-5b83-ad11-8ad4c6dca60f", "id": "CVE-2026-22753", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-22753 does not affect version 6.3.10-tuxcare.1 of org.springframework.security:spring-security-saml2-service-provider. According to security advisories CVE-2026-22753 does not affect Spring-Security versions earlier than 7.0.0. This is supported by manual code inspection. CVE-2026-22753 is an access-control bypass that occurs when a user-registered PathPatternRequestMatcher.Builder bean (configured with a basePath/servlet path prefix) is silently ignored by the securityMatchers DSL, causing the security filter chain to match a different URL than the user configured. The vulnerability requires two pieces of infrastructure introduced in Spring Security 7.0.0: 1. The PathPatternRequestMatcher.Builder API itself (added in upstream commit aeb2dbc2 on 2025-08-18). 2. The wiring in HttpSecurityConfiguration.createSharedObjects() that registers this Builder as a shared object \u2014 the exact line patched by upstream commit 438c783c (the CVE fix). Neither piece exists in version 6.3.10." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-saml2-service-provider@6.3.10-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5d9cbfb5-4a56-54c7-9bce-478c1bb1da58", "id": "CVE-2026-22754", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-22754 does not affect version 6.3.10-tuxcare.1 of org.springframework.security:spring-security-saml2-service-provider. According to security advisories CVE-2026-22754 does not affect Spring-Security versions earlier than 7.0.0. This is supported by manual code inspection and proof-of-concept tests ported from the upstream fix commit. CVE-2026-22754 is an access-control bypass caused by PathPatternRequestMatcherFactoryBean.afterPropertiesSet() calling this.builder.basePath(this.basePath) and discarding the return value \u2014 PathPatternRequestMatcher.Builder is immutable/copy-on-modify, so the configured basePath was silently dropped and protected URLs (e.g., /spring/path) were left unmatched by the security filter chain. The vulnerability requires two pieces of infrastructure introduced in Spring Security 7.0.0: 1. The PathPatternRequestMatcher.Builder API (added in upstream commit 3e53cc2c4a, \"Use PathPatternRequestMatcher in config\"). 2. The PathPatternRequestMatcherFactoryBean class itself \u2014 the exact file patched by upstream commit 53bcf0d1 (the CVE fix). Neither piece exists in version 6.3.10. The upstream POC tests (RegexMatcher, CiRegexMatcher + AuthorizationManager variants) were ported verbatim and pass." }, "affects": [ { "ref": "pkg:maven/org.springframework.security/spring-security-saml2-service-provider@6.3.10-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework.security/spring-security-saml2-service-provider@6.3.10-tuxcare.1" } ] }