{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:83a346ce-b73b-5e5f-b73a-95e6a523c93d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-orm", "version": "4.3.30.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:6262ef33-1863-5174-9409-d53dac3e8e01", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:930cb942-0fcc-5379-aeab-e2a5f432e559", "id": "CVE-2020-5397", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5397 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8446b678-a207-5789-a845-f2a5ec48bb0b", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:92f31b60-ce9f-5323-b7ba-b203c7aa323b", "id": "CVE-2021-22060", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22060 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1bc63a11-c0bb-5ca4-9789-4ba9753724b9", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a8f11b7f-bd5b-50ad-93ad-7b4e4ad9c233", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:af634525-6afa-5528-ac70-a55fd004fa51", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b8c5e98b-ab5f-5e66-b599-338891dbf9d7", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:64a3cf90-e971-5279-96d3-73ea3b80573f", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:41ab2d4b-188a-5b35-8740-6fd884844070", "id": "CVE-2022-22970", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22970 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:333d0dbc-26d8-5d02-aacc-183dced4ba56", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:142c2f05-be29-5bd6-985c-a67190ff7205", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:55446767-d1b2-5e4d-943a-335f4e5040cb", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9f3bbf4b-f529-5aee-9943-45dbbe5c01b0", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5ca5a7a1-a9be-5333-8ad2-80657a1c1b03", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a2aad80b-645d-5210-872f-d7ff43ce46e1", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0ef10848-d754-5132-9c91-87271504817c", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d1633ac0-fa64-54d6-9c89-adb87c005083", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c37527e3-4908-5c24-8766-8287250e0a2f", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f47bd01f-804b-53ec-acef-c35b38f43c14", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:da3020a0-0380-5db6-b1c5-46e163d89eb1", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d0ecd721-4861-5018-955c-f6934f83e4aa", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f8b18ef3-0b60-56ee-abcf-284f0dca009f", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bb4c35c0-8228-58c4-add3-097dbb51bd66", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1ab42793-7157-5120-aba7-dbad64b24cee", "id": "CVE-2026-22740", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-22740 does not affect version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm. CVE-2026-22740 is a WebFlux-specific vulnerability (reactive multipart temp-file cleanup in org.springframework.http.codec.multipart.MultipartHttpMessageReader / PartGenerator). Spring Framework 4.3.30.RELEASE predates WebFlux entirely - the org.springframework.http.codec package does not exist in this version, and there is no reactive multipart code path. Per NVD, affected versions are 5.3.x, 6.1.x, 6.2.x, 7.0.x only; Spring 4.x is not in the affected range." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a70cb9fe-36e7-5b83-bdd3-f4ec278b3ed1", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 4.3.30.RELEASE-tuxcare.3 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-orm@4.3.30.RELEASE-tuxcare.3" } ] }