{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5f7cf7fc-4bfa-5045-bae4-470946797d39", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-instrument-tomcat", "version": "4.3.30.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d314082d-a810-5d84-be8d-f63a2b2c9e7f", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ea02c3e3-bd10-5f5f-b383-265fc74883cf", "id": "CVE-2020-5397", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5397 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9420523c-d96d-5c50-aeaf-111e1753d08d", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5d654294-06a8-583b-86d7-802edfd6955e", "id": "CVE-2021-22060", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22060 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:92ac6478-d526-5d6a-ac4c-865c92dc885e", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ad6986a6-11a9-5241-b577-21b4779f33e7", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:99198a45-d87d-5f58-9c8f-1e98a096785c", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d1bf50ae-1888-59e0-8fe5-a012020a8b7f", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5c6fad31-faa5-5416-a21a-292384044fa3", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b319c618-f8d7-5f7c-a6a4-e590b763f5cf", "id": "CVE-2022-22970", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22970 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8c4cc5b6-ca41-5f19-b80b-29bd4bc59bff", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e8247b1e-cbd0-543e-b7dd-40ab1b49a7ed", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1a5fc1b2-2335-553d-9790-a30d2189653d", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c733f3ba-7120-51b6-b982-a66f557417dd", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:731b5b54-2030-58fe-8ff4-4ba9983a3c5d", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0baff9b0-0099-5864-8585-e443de457119", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:aff2f33f-4ba7-5dfa-b77d-eeae582bbf91", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5237faa5-8f59-5a08-83a5-bc0db477042f", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9d616f4d-9dca-519f-8d9d-839d5fadb8b3", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ad6cd9be-8f18-506e-b007-c19db6324e47", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:130d83bc-6e1b-58ef-bb3c-58004b1b88a9", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6d51d3b5-54ae-5d3b-873c-0f0e51a76836", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7d5d14b4-4ce3-5bb9-82be-da7c1a7decdb", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:96507015-1919-52b7-bf61-efb1a160098f", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a11b8d04-208e-5e1f-b719-f25ad929dd82", "id": "CVE-2026-22740", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-22740 does not affect version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat. CVE-2026-22740 is a WebFlux-specific vulnerability (reactive multipart temp-file cleanup in org.springframework.http.codec.multipart.MultipartHttpMessageReader / PartGenerator). Spring Framework 4.3.30.RELEASE predates WebFlux entirely - the org.springframework.http.codec package does not exist in this version, and there is no reactive multipart code path. Per NVD, affected versions are 5.3.x, 6.1.x, 6.2.x, 7.0.x only; Spring 4.x is not in the affected range." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e1d2b0a7-6fbc-5d1b-952f-1b569f19538d", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-instrument-tomcat." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument-tomcat@4.3.30.RELEASE-tuxcare.3" } ] }