Vulnerability Reportdebezium/connect:1.9

debezium/connect:1.9

DIGESTsha256:d6d5249e9678ea633302239e2461833585afdd2dc2b1e6a32c8f9aaf5bb8af76

Executive Summary

Threat ScoreDANGEROUS• 90 total exposed vulnerabilities, 8 with severity >=7.0, including CVE-2025-27817 (CVSS 10.0) and CVE-2025-27819 (RCE).• CVE-2025-27817 enables arbitrary file read and SSRF via Kafka Connect REST API.• CVE-2025-27819 allows remote code execution via JNDI injection if REST API can set JAAS config.• CVE-2022-25647 (Gson deserialization) can cause denial of service with no special configuration.• Container is commonly used as an internet-facing Kafka Connect service, increasing exploitability.• No post-exploit findings, but exposed surface is critical.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (51M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via JNDI injection (CVE-2025-27819) or arbitrary file read and SSRF (CVE-2025-27817), and cause denial of service via deserialization (CVE-2022-25647). Upgrading Kafka to 3.4.0+ would disable JndiLoginModule by default, fully mitigating CVE-2025-27819. Note: CVE-2025-27817 requires the SASL/OAUTHBEARER token endpoint URLs to be configurable by an untrusted party, which is possible via the Kafka Connect REST API. Without urgent patching, this container is highly exploitable.

Vulnerabilities

Vulnerability Log

104 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2025-27817	CRITICAL10	org.apache.kafka:kafka-clients 3.2.0 fixed in 3.9.1	60.8% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2022-25647	HIGH8.62	com.google.code.gson:gson 2.7 fixed in 2.8.9	12.0% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2024-1597	HIGH7.84	org.postgresql:postgresql 42.3.5 fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2	4.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 9.4.44.v20210927 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2020-36518	HIGH7.5	com.fasterxml.jackson.core:jackson-databind 2.12.4 fixed in 2.13.2.1, 2.12.6.1	4.9% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2025-27819	HIGH7.48	org.apache.kafka:kafka_2.13 3.2.0 fixed in 3.4.0	0.9% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2025-67030	HIGH7.48	org.codehaus.plexus:plexus-utils 3.3.0 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Directly Exposed
CVE-2023-22102	HIGH7.06	mysql:mysql-connector-java 8.0.28 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 9.4.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 9.4.1.jre8 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM6.88	io.netty:netty-handler 4.1.73.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2025-27818	MEDIUM6.8	org.apache.kafka:kafka_2.13 3.2.0 fixed in 3.9.1	0.9% Theoretical Threat	Directly Exposed
CVE-2023-34462	MEDIUM6.5	io.netty:netty-handler 4.1.73.Final fixed in 4.1.94.Final	2.5% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 9.4.44.v20210927 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2025-52999	MEDIUM6.38	com.fasterxml.jackson.core:jackson-core 2.12.4 fixed in 2.15.0	0.6% Theoretical Threat	Directly Exposed
CVE-2025-52999	MEDIUM6.38	com.fasterxml.jackson.core:jackson-core 2.12.6 fixed in 2.15.0	0.6% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.73.Final fixed in 4.1.125.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.73.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.73.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.73.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2025-58056	MEDIUM6.38	io.netty:netty-codec-http 4.1.73.Final fixed in 4.1.125.Final, 4.2.5.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.netty:netty-codec-http2 4.1.73.Final fixed in 4.2.4.Final, 4.1.124.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.73.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.73.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.73.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.73.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.73.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.1.73.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2023-31582	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	0.6% Theoretical Threat	Directly Exposed
CVE-2024-29371	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.6	0.2% Theoretical Threat	Directly Exposed
CVE-2023-51775	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.4	0.9% Theoretical Threat	Directly Exposed
CVE-2024-9823	MEDIUM6.38	org.eclipse.jetty:jetty-servlets 9.4.44.v20210927 fixed in 9.4.54, 10.0.18, 11.0.18	0.9% Theoretical Threat	Directly Exposed
CVE-2025-66566	MEDIUM6.38	org.lz4:lz4-java 1.8.0 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.3.5 fixed in 42.7.11	0.4% Theoretical Threat	Directly Exposed
CVE-2024-56128	MEDIUM6.29	org.apache.kafka:kafka_2.13 3.2.0 fixed in 3.7.2, 3.8.1	0.8% Theoretical Threat	Directly Exposed
CVE-2024-13009	MEDIUM6.12	org.eclipse.jetty:jetty-server 9.4.44.v20210927 fixed in 9.4.57.v20241219	0.4% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 31.0.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2021-46877	MEDIUM6	com.fasterxml.jackson.core:jackson-databind 2.12.4 fixed in 2.12.6, 2.13.1	1.1% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-42003	MEDIUM6	com.fasterxml.jackson.core:jackson-databind 2.12.4 fixed in 2.12.7.1, 2.13.4.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-42004	MEDIUM6	com.fasterxml.jackson.core:jackson-databind 2.12.4 fixed in 2.12.7.1, 2.13.4	2.7% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-42003	MEDIUM6	com.fasterxml.jackson.core:jackson-databind 2.12.6.1 fixed in 2.12.7.1, 2.13.4.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-42004	MEDIUM6	com.fasterxml.jackson.core:jackson-databind 2.12.6.1 fixed in 2.12.7.1, 2.13.4	2.7% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 3.2.0 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2024-23944	MEDIUM5.61	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.8.4, 3.9.2	0.2% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.1.73.Final fixed in 4.2.8.Final, 4.1.129.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.73.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.73.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 9.4.44.v20210927 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2023-5236	MEDIUM5.52	org.infinispan.protostream:protostream 4.4.1.Final fixed in 4.6.2.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2025-12183	MEDIUM5.52	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	0.7% Theoretical Threat	Directly Exposed
CVE-2022-24823	MEDIUM5.5	io.netty:netty-codec-http 4.1.73.Final fixed in 4.1.77.Final	1.0% Low-Moderate Risk	Directly Exposed
CVE-2024-29025	MEDIUM5.3	io.netty:netty-codec-http 4.1.73.Final fixed in 4.1.108.Final	1.4% Low-Moderate Risk	Directly Exposed
CVE-2024-31141	MEDIUM5.3	org.apache.kafka:kafka-clients 3.2.0 fixed in 3.7.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-40167	MEDIUM5.3	org.eclipse.jetty:jetty-http 9.4.44.v20210927 fixed in 9.4.52, 10.0.16, 11.0.16, 12.0.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-26048	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.44.v20210927 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14	3.3% Low-Moderate Risk	Directly Exposed
CVE-2023-26049	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.44.v20210927 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14, 12.0.0.beta0	1.3% Low-Moderate Risk	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-connector-mysql 1.9.7.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-connector-sqlserver 1.9.7.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-core 1.9.7.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2024-47535	MEDIUM4.67	io.netty:netty-common 4.1.73.Final fixed in 4.1.115.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.73.Final fixed in 4.1.118.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2024-25710	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-26308	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.9% Theoretical Threat	Directly Exposed
CVE-2022-41946	MEDIUM4.67	org.postgresql:postgresql 42.3.5 fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.73.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.73.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.73.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 9.4.44.v20210927 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.12.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.8.1 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2025-49128	LOW3.4	com.fasterxml.jackson.core:jackson-core 2.12.4 fixed in 2.13.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-49128	LOW3.4	com.fasterxml.jackson.core:jackson-core 2.12.6 fixed in 2.13.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.63.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.73.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2023-44981	LOW3.28	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.7.2, 3.8.3, 3.9.1	1.7% Low-Moderate Risk	Post-Exploit
CVE-2024-47561	LOW3.17	org.apache.avro:avro 1.10.1 fixed in 1.11.4	3.3% Low-Moderate Risk	Post-Exploit
CVE-2024-47561	LOW3.17	org.apache.avro:avro 1.11.0 fixed in 1.11.4	3.3% Low-Moderate Risk	Post-Exploit
CVE-2023-36479	LOW3.1	org.eclipse.jetty:jetty-servlets 9.4.44.v20210927 fixed in 9.4.52, 10.0.16, 11.0.16	1.0% Low-Moderate Risk	Directly Exposed
CVE-2026-42581	LOW3	io.netty:netty-codec-http 4.1.73.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Post-Exploit
CVE-2022-31197	LOW2.88	org.postgresql:postgresql 42.3.5 fixed in 42.2.26, 42.4.1, 42.3.7	1.7% Low-Moderate Risk	Post-Exploit
CVE-2020-8908	LOW2.8	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 31.0.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42584	LOW2.78	io.netty:netty-codec-http 4.1.73.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-Exploit
CVE-2024-7254	LOW2.7	com.google.protobuf:protobuf-java 3.19.6 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Post-Exploit
CVE-2023-39410	LOW2.7	org.apache.avro:avro 1.10.1 fixed in 1.11.3	1.8% Low-Moderate Risk	Post-Exploit
CVE-2023-39410	LOW2.7	org.apache.avro:avro 1.11.0 fixed in 1.11.3	1.8% Low-Moderate Risk	Post-Exploit
CVE-2023-34455	LOW2.7	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.8% Low-Moderate Risk	Post-Exploit
CVE-2023-43642	LOW2.7	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.4	1.0% Low-Moderate Risk	Post-Exploit
CVE-2023-34453	LOW2.7	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.7% Low-Moderate Risk	Post-Exploit
CVE-2023-34454	LOW2.7	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.5% Low-Moderate Risk	Post-Exploit
CVE-2022-2047	LOW2.29	org.eclipse.jetty:jetty-http 9.4.44.v20210927 fixed in 9.4.47, 10.0.10, 11.0.10	0.9% Theoretical Threat	Directly Exposed
CVE-2023-5384	LOW2.29	org.infinispan:infinispan-client-hotrod 12.1.6.Final fixed in 15.0.0.Dev07, 14.0.25.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2023-5384	LOW2.29	org.infinispan:infinispan-commons 12.1.6.Final fixed in 15.0.0.Dev07, 14.0.25.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2023-5384	LOW2.29	org.infinispan:infinispan-core 12.1.6.Final fixed in 15.0.0.Dev07, 14.0.25.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2022-36944	NONE0	org.scala-lang:scala-library 2.13.8 fixed in 2.13.9	8.2% Low-Moderate Risk	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.12.4 fixed in 2.21.1, 2.18.6	—	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.12.6 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.73.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
GHSA-xpw8-rcwv-8f8p	NONE0	io.netty:netty-codec-http2 4.1.73.Final fixed in 4.1.100.Final	—	Not Applicable
CVE-2026-33558	NONE0	org.apache.kafka:kafka-clients 3.2.0 fixed in 3.9.2, 4.0.1	0.5% Theoretical Threat	Not Applicable
GHSA-jgvc-jfgh-rjvv	NONE0	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	—	Not Applicable
GHSA-2r2c-cx56-8933	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable
GHSA-47qp-hqvx-6r3f	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable