Vulnerability Reportdebezium/connect:2.1

debezium/connect:2.1

DIGESTsha256:fbb171a564b824d17d4f434e97aa79fc36b83027e8f203f76be65445186029ff

Executive Summary

Threat ScoreDANGEROUS• Threat score 100/100 indicates maximum risk.• 18 critical/high-severity vulnerabilities (≥7.0) on the exposed surface, including CVE-2025-27817 (CVSS 10.0) enabling SSRF and file reads via Kafka REST API.• CVE-2024-47561 (CVSS 8.8) allows remote code execution through crafted Avro messages, directly impacting Kafka Connect processing.• Additional severe findings: CVE-2022-25647 (DoS via Gson deserialization) and CVE-2026-42581 (HTTP request smuggling in Netty).• Despite high community reputation (51M+ pulls), the image has 103 total exposed vulnerabilities with no post-exploit-only flaws.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (51M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via malicious Avro messages (CVE-2024-47561), read arbitrary files and environment variables through SSRF (CVE-2025-27817), or cause denial of service via crafted inputs (CVE-2022-25647). Upgrading to patched versions of Kafka Client, Avro, Gson, Netty, and Protobuf would mitigate the majority of these vulnerabilities. Note: CVE-2024-1597 only applies if the PostgreSQL connection uses the non-default PreferQueryMode=SIMPLE, which reduces its practical impact.

Vulnerabilities

Vulnerability Log

107 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2025-27817	CRITICAL10	org.apache.kafka:kafka-clients 3.3.1 fixed in 3.9.1	60.8% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2024-47561	HIGH8.8	org.apache.avro:avro 1.11.0 fixed in 1.11.4	3.3% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-25647	HIGH8.62	com.google.code.gson:gson 2.8.6 fixed in 2.8.9	12.0% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2024-1597	HIGH7.84	org.postgresql:postgresql 42.5.1 fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2	4.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2024-7254	HIGH7.5	com.google.protobuf:protobuf-java 3.19.6 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2024-7254	HIGH7.5	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-3171	HIGH7.5	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.21.7, 3.20.3, 3.19.6, 3.16.3	1.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-39410	HIGH7.5	org.apache.avro:avro 1.11.0 fixed in 1.11.3	1.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-45688	HIGH7.5	org.json:json 20220320 fixed in 20230227	1.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-5072	HIGH7.5	org.json:json 20220320 fixed in 20231013	1.4% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-34455	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-43642	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.4	1.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-34453	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.7% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2025-27819	HIGH7.48	org.apache.kafka:kafka_2.13 3.3.1 fixed in 3.4.0	0.9% Theoretical Threat	Directly Exposed
CVE-2025-67030	HIGH7.48	org.codehaus.plexus:plexus-utils 3.3.0 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Directly Exposed
CVE-2023-22102	HIGH7.06	com.mysql:mysql-connector-j 8.0.32 fixed in 8.2.0	0.9% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1.jre8 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM6.88	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2025-27818	MEDIUM6.8	org.apache.kafka:kafka_2.13 3.3.1 fixed in 3.9.1	0.9% Theoretical Threat	Directly Exposed
CVE-2023-34462	MEDIUM6.5	io.netty:netty-handler 4.1.78.Final fixed in 4.1.94.Final	2.5% Low-Moderate Risk	Directly Exposed
CVE-2024-29857	MEDIUM6.5	org.bouncycastle:bcprov-jdk15on 1.67 fixed in 1.78	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2025-52999	MEDIUM6.38	com.fasterxml.jackson.core:jackson-core 2.13.3 fixed in 2.15.0	0.6% Theoretical Threat	Directly Exposed
CVE-2022-3509	MEDIUM6.38	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.16.3, 3.19.6, 3.20.3, 3.21.7	0.6% Theoretical Threat	Directly Exposed
CVE-2022-3510	MEDIUM6.38	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.16.3, 3.19.6, 3.20.3, 3.21.7	0.5% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.grpc:grpc-netty-shaded 1.46.0 fixed in 1.75.0	0.9% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.78.Final fixed in 4.1.125.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2025-58056	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.125.Final, 4.2.5.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.4.Final, 4.1.124.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.1.78.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2023-31582	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	0.6% Theoretical Threat	Directly Exposed
CVE-2024-29371	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.6	0.2% Theoretical Threat	Directly Exposed
CVE-2023-51775	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk15on 1.67 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2024-9823	MEDIUM6.38	org.eclipse.jetty:jetty-servlets 9.4.48.v20220622 fixed in 9.4.54, 10.0.18, 11.0.18	0.9% Theoretical Threat	Directly Exposed
CVE-2025-66566	MEDIUM6.38	org.lz4:lz4-java 1.8.0 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.5.1 fixed in 42.7.11	0.4% Theoretical Threat	Directly Exposed
CVE-2024-56128	MEDIUM6.29	org.apache.kafka:kafka_2.13 3.3.1 fixed in 3.7.2, 3.8.1	0.8% Theoretical Threat	Directly Exposed
CVE-2024-13009	MEDIUM6.12	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.57.v20241219	0.4% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 31.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2022-42003	MEDIUM6	com.fasterxml.jackson.core:jackson-databind 2.13.3 fixed in 2.12.7.1, 2.13.4.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-42004	MEDIUM6	com.fasterxml.jackson.core:jackson-databind 2.13.3 fixed in 2.12.7.1, 2.13.4	2.7% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2023-34454	MEDIUM6	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.5% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 3.3.1 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2024-23944	MEDIUM5.61	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.8.4, 3.9.2	0.2% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.8.Final, 4.1.129.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2023-5236	MEDIUM5.52	org.infinispan.protostream:protostream 4.5.0.Final fixed in 4.6.2.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2025-12183	MEDIUM5.52	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	0.7% Theoretical Threat	Directly Exposed
CVE-2024-29025	MEDIUM5.3	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.108.Final	1.4% Low-Moderate Risk	Directly Exposed
CVE-2024-31141	MEDIUM5.3	org.apache.kafka:kafka-clients 3.3.1 fixed in 3.7.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-40167	MEDIUM5.3	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 9.4.52, 10.0.16, 11.0.16, 12.0.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-26048	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14	3.3% Low-Moderate Risk	Directly Exposed
CVE-2023-26049	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14, 12.0.0.beta0	1.3% Low-Moderate Risk	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-connector-mysql 2.1.4.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-connector-sqlserver 2.1.4.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-core 2.1.4.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2024-41909	MEDIUM5.02	org.apache.sshd:sshd-common 2.7.0 fixed in 2.12.0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-30171	MEDIUM5.02	org.bouncycastle:bcprov-jdk15on 1.67 fixed in 1.78	0.9% Theoretical Threat	Directly Exposed
CVE-2024-47535	MEDIUM4.67	io.netty:netty-common 4.1.78.Final fixed in 4.1.115.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.78.Final fixed in 4.1.118.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2024-25710	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-26308	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.9% Theoretical Threat	Directly Exposed
CVE-2023-33202	MEDIUM4.67	org.bouncycastle:bcprov-jdk15on 1.67 fixed in 1.70	0.9% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk15on 1.67 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2023-33201	MEDIUM4.5	org.bouncycastle:bcprov-jdk15on 1.67 No fix yet	0.6% Theoretical Threat	Directly Exposed
CVE-2024-34447	MEDIUM4.5	org.bouncycastle:bcprov-jdk15on 1.67 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.12.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.8.1 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2023-35887	LOW3.65	org.apache.sshd:sshd-common 2.7.0 fixed in 2.9.3	1.0% Theoretical Threat	Directly Exposed
CVE-2022-45047	LOW3.53	org.apache.sshd:sshd-common 2.7.0 fixed in 2.9.2	3.6% Low-Moderate Risk	Post-Exploit
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.82.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2023-44981	LOW3.28	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.7.2, 3.8.3, 3.9.1	1.7% Low-Moderate Risk	Post-Exploit
CVE-2023-36479	LOW3.1	org.eclipse.jetty:jetty-servlets 9.4.48.v20220622 fixed in 9.4.52, 10.0.16, 11.0.16	1.0% Low-Moderate Risk	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 31.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42584	LOW2.78	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-Exploit
CVE-2023-5384	LOW2.29	org.infinispan:infinispan-client-hotrod 14.0.2.Final fixed in 15.0.0.Dev07, 14.0.25.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2023-5384	LOW2.29	org.infinispan:infinispan-commons 14.0.2.Final fixed in 15.0.0.Dev07, 14.0.25.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2023-5384	LOW2.29	org.infinispan:infinispan-core 14.0.2.Final fixed in 15.0.0.Dev07, 14.0.25.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2022-36944	NONE0	org.scala-lang:scala-library 2.13.8 fixed in 2.13.9	8.2% Low-Moderate Risk	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.13.3 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.78.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
GHSA-xpw8-rcwv-8f8p	NONE0	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.100.Final	—	Not Applicable
CVE-2026-33558	NONE0	org.apache.kafka:kafka-clients 3.3.1 fixed in 3.9.2, 4.0.1	0.5% Theoretical Threat	Not Applicable
GHSA-jgvc-jfgh-rjvv	NONE0	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	—	Not Applicable
GHSA-2r2c-cx56-8933	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable
GHSA-47qp-hqvx-6r3f	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable