{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:9dcc4521-62d5-5563-b06d-4b4d8097ff03",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1",
      "type": "library",
      "group": "org.springframework.security",
      "name": "spring-security-cas",
      "version": "4.2.20.RELEASE-tuxcare.1",
      "purl": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:1fae53b3-61e1-5519-a76f-b0d684eef94d",
      "id": "CVE-2007-1651",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2007-1651 does not affect version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas. Version 4.2.20.RELEASE is not vulnerable. Summary: The target repository is NOT VULNERABLE to CVE-2007-1651. The security fix has already been applied."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:964f8265-4d72-5544-b0fa-16b1dd4d8908",
      "id": "CVE-2007-1652",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2007-1652 does not affect version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas. Version 4.2.20.RELEASE is not vulnerable. Summary: The target repository is NOT VULNERABLE to CVE-2007-1652. The security fix has already been applied. The code contains the necessary null check for DiscoveryInformation that prevents replay attacks and session-based exploitation."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c2780f16-5063-5244-90e1-b2d8bd324046",
      "id": "CVE-2021-22112",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2021-22112 is fixed in version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:bce87e72-7e84-5663-b436-ba6c5485cb47",
      "id": "CVE-2021-22119",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2021-22119 affects version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5dc7639b-9d21-59fe-8899-16d2bc1ae2e5",
      "id": "CVE-2022-22978",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2022-22978 is fixed in version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0acef01e-5505-5222-9210-f16182d04638",
      "id": "CVE-2023-34042",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2023-34042 does not affect version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas. 4.2.20.RELEASE is not vulnerable because CVE-2023-34042 only affects Spring Security 5.7.9\u20135.7.10, 5.8.4\u20135.8.6, 6.0.4\u20136.0.6, and 6.1.1\u20136.1.3. Version 4.2.20.RELEASE is in the 4.2.x line, which is outside those ranges. The advisory and NVD do not list any 4.x versions as affected, so 4.2.20.RELEASE is not in scope."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:da2fe4a2-1162-53f7-92a7-f22f33cb3d68",
      "id": "CVE-2024-22257",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2024-22257 is fixed in version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1903795e-f937-5de0-b9aa-f4b2f9d32547",
      "id": "CVE-2024-38821",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2024-38821 does not affect version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas. 4.2.20.RELEASE is not affected. The CVE targets the WebFlux stack (org.springframework.security.web.server); WebFlux was added in Spring Security 5.2, so 4.2.x has no WebFlux code. This branch only has the servlet stack (FilterChainProxy, HttpFirewall, etc.). The vulnerable path (WebFlux + static resources + non-permitAll) cannot occur here. Advisories may list 4.2.20 as \"affected\" by version range, but the vulnerable code is not present, so the release is not exploitable for this CVE."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1573f0af-af7d-5f35-bce7-738992c13b42",
      "id": "CVE-2024-38827",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2024-38827 is fixed in version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2d8297ed-21fe-5edc-b4c1-cb5e415137b8",
      "id": "CVE-2025-22228",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-22228 is fixed in version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:28da636e-53b5-5c87-9b8a-d241181771b1",
      "id": "CVE-2026-22732",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22732 affects version 4.2.20.RELEASE-tuxcare.1 of org.springframework.security:spring-security-cas."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:maven/org.springframework.security/spring-security-cas@4.2.20.RELEASE-tuxcare.1"
    }
  ]
}