Vulnerability Reportdebezium/connect:2.0

debezium/connect:2.0

DIGESTsha256:94ac45a543e33eed5b857d76f07e70a2b40f766313fdb25a8b4ec1f51ad0bb8c

Executive Summary

Threat ScoreDANGEROUS• 89 exposed vulnerabilities found, including 14 with severity >= 7.0 and max severity 10.0.• CVE-2025-27817 (Kafka client SSRF/file read, CVSS 10.0) allows arbitrary file read and SSRF via REST API.• CVE-2024-47561 (Avro schema parsing RCE, CVSS 8.8) enables remote code execution from crafted messages.• Multiple other high-severity DoS vulnerabilities (e.g., CVE-2022-25647, CVE-2026-42581) are directly reachable via network.• Image is pinned by digest and from popular community, but vulnerability load is severe.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (51M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via Avro schema parsing, read arbitrary files and perform SSRF via Kafka client configuration, or cause denial of service via multiple memory exhaustion and request smuggling vulnerabilities. No compensating controls fully mitigate these risks; the only viable action is to upgrade or replace the image.

Vulnerabilities

Vulnerability Log

94 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2025-27817	CRITICAL10	org.apache.kafka:kafka-clients 3.3.1 fixed in 3.9.1	60.8% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2024-47561	HIGH8.8	org.apache.avro:avro 1.11.0 fixed in 1.11.4	3.3% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-25647	HIGH8.62	com.google.code.gson:gson 2.8.6 fixed in 2.8.9	12.0% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2023-39410	HIGH7.5	org.apache.avro:avro 1.11.0 fixed in 1.11.3	1.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-45688	HIGH7.5	org.json:json 20220320 fixed in 20230227	1.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-5072	HIGH7.5	org.json:json 20220320 fixed in 20231013	1.4% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-34455	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-43642	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.4	1.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-34453	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.7% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-34454	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.5% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2025-67030	HIGH7.48	org.codehaus.plexus:plexus-utils 3.3.0 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Directly Exposed
CVE-2023-22102	HIGH7.06	mysql:mysql-connector-java 8.0.29 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1.jre8 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM6.88	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2025-27818	MEDIUM6.8	org.apache.kafka:kafka_2.13 3.3.1 fixed in 3.9.1	0.9% Theoretical Threat	Directly Exposed
CVE-2023-34462	MEDIUM6.5	io.netty:netty-handler 4.1.78.Final fixed in 4.1.94.Final	2.5% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2025-52999	MEDIUM6.38	com.fasterxml.jackson.core:jackson-core 2.13.3 fixed in 2.15.0	0.6% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.78.Final fixed in 4.1.125.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2025-58056	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.125.Final, 4.2.5.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.4.Final, 4.1.124.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.1.78.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2023-31582	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	0.6% Theoretical Threat	Directly Exposed
CVE-2024-29371	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.6	0.2% Theoretical Threat	Directly Exposed
CVE-2023-51775	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.4	0.9% Theoretical Threat	Directly Exposed
CVE-2024-9823	MEDIUM6.38	org.eclipse.jetty:jetty-servlets 9.4.48.v20220622 fixed in 9.4.54, 10.0.18, 11.0.18	0.9% Theoretical Threat	Directly Exposed
CVE-2025-66566	MEDIUM6.38	org.lz4:lz4-java 1.8.0 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.5.0 fixed in 42.7.11	0.4% Theoretical Threat	Directly Exposed
CVE-2024-56128	MEDIUM6.29	org.apache.kafka:kafka_2.13 3.3.1 fixed in 3.7.2, 3.8.1	0.8% Theoretical Threat	Directly Exposed
CVE-2026-42584	MEDIUM6.18	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2024-13009	MEDIUM6.12	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.57.v20241219	0.4% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2022-42003	MEDIUM6	com.fasterxml.jackson.core:jackson-databind 2.13.3 fixed in 2.12.7.1, 2.13.4.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-42004	MEDIUM6	com.fasterxml.jackson.core:jackson-databind 2.13.3 fixed in 2.12.7.1, 2.13.4	2.7% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-7254	MEDIUM6	com.google.protobuf:protobuf-java 3.19.6 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 3.3.1 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2024-23944	MEDIUM5.61	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.8.4, 3.9.2	0.2% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.8.Final, 4.1.129.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2023-5236	MEDIUM5.52	org.infinispan.protostream:protostream 4.5.0.Final fixed in 4.6.2.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2025-12183	MEDIUM5.52	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	0.7% Theoretical Threat	Directly Exposed
CVE-2024-29025	MEDIUM5.3	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.108.Final	1.4% Low-Moderate Risk	Directly Exposed
CVE-2024-31141	MEDIUM5.3	org.apache.kafka:kafka-clients 3.3.1 fixed in 3.7.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-40167	MEDIUM5.3	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 9.4.52, 10.0.16, 11.0.16, 12.0.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-26048	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14	3.3% Low-Moderate Risk	Directly Exposed
CVE-2023-26049	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14, 12.0.0.beta0	1.3% Low-Moderate Risk	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-connector-mysql 2.0.1.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-connector-sqlserver 2.0.1.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-core 2.0.1.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2024-41909	MEDIUM5.02	org.apache.sshd:sshd-common 2.7.0 fixed in 2.12.0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-47535	MEDIUM4.67	io.netty:netty-common 4.1.78.Final fixed in 4.1.115.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.78.Final fixed in 4.1.118.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2024-25710	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-26308	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.9% Theoretical Threat	Directly Exposed
CVE-2022-41946	MEDIUM4.67	org.postgresql:postgresql 42.5.0 fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.12.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.8.1 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2023-35887	LOW3.65	org.apache.sshd:sshd-common 2.7.0 fixed in 2.9.3	1.0% Theoretical Threat	Directly Exposed
CVE-2022-45047	LOW3.53	org.apache.sshd:sshd-common 2.7.0 fixed in 2.9.2	3.6% Low-Moderate Risk	Post-Exploit
CVE-2024-1597	LOW3.53	org.postgresql:postgresql 42.5.0 fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2	4.8% Low-Moderate Risk	Post-Exploit
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.82.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2023-44981	LOW3.28	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.7.2, 3.8.3, 3.9.1	1.7% Low-Moderate Risk	Post-Exploit
CVE-2023-36479	LOW3.1	org.eclipse.jetty:jetty-servlets 9.4.48.v20220622 fixed in 9.4.52, 10.0.16, 11.0.16	1.0% Low-Moderate Risk	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2025-27819	LOW2.69	org.apache.kafka:kafka_2.13 3.3.1 fixed in 3.4.0	0.9% Theoretical Threat	Post-Exploit
CVE-2023-5384	LOW2.29	org.infinispan:infinispan-client-hotrod 14.0.2.Final fixed in 15.0.0.Dev07, 14.0.25.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2023-5384	LOW2.29	org.infinispan:infinispan-commons 14.0.2.Final fixed in 15.0.0.Dev07, 14.0.25.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2023-5384	LOW2.29	org.infinispan:infinispan-core 14.0.2.Final fixed in 15.0.0.Dev07, 14.0.25.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2022-36944	NONE0	org.scala-lang:scala-library 2.13.8 fixed in 2.13.9	8.2% Low-Moderate Risk	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.13.3 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.78.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
GHSA-xpw8-rcwv-8f8p	NONE0	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.100.Final	—	Not Applicable
CVE-2026-33558	NONE0	org.apache.kafka:kafka-clients 3.3.1 fixed in 3.9.2, 4.0.1	0.5% Theoretical Threat	Not Applicable
GHSA-jgvc-jfgh-rjvv	NONE0	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	—	Not Applicable
GHSA-2r2c-cx56-8933	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable
GHSA-47qp-hqvx-6r3f	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable