Vulnerability Reportdebezium/connect:2.2

debezium/connect:2.2

DIGESTsha256:2f63e3759fe30572a48acda0105c39dd5cb951d6b1f22453704be82412d1a6db

Executive Summary

Threat ScoreDANGEROUS• 96 exposed vulnerabilities, with 15 rated critical (≥7.0) including two CVEs with max score 10.0 (CVE-2022-1471, CVE-2025-27817).• Multiple remote code execution risks: SnakeYaml deserialization (CVE-2022-1471) and JNDI injection via mchange-commons-java (CVE-2026-27727).• High-impact data disclosure and SSRF potential from Kafka client OAuth misconfiguration (CVE-2025-27817) and HTTP request smuggling in Jetty (CVE-2026-2332).• Significant denial-of-service surface from Gson (CVE-2022-25647), org.json (CVE-2022-45688, CVE-2023-5072), and snappy-java (CVE-2023-34455, CVE-2023-43642).• All top exposed-surface findings have HIGH context importance, indicating direct exploitability via the exposed REST API or connector configuration.• No compensating controls available to fully mitigate the critical risks—upstream patches are required.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (51M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker with REST API access can achieve remote code execution via SnakeYaml deserialization (CVE-2022-1471) or JNDI injection in mchange-commons-java (CVE-2026-27727), perform arbitrary file reads and SSRF via the Kafka client OAuth endpoint (CVE-2025-27817), or trigger denial-of-service using multiple JSON/YAML parsing flaws. While some vulnerabilities like CVE-2024-1597 require non-default configuration (PreferQueryMode=SIMPLE), the majority are exploitable with default settings. Immediate remediation is mandatory; no partial workarounds fully eliminate the risk.

Vulnerabilities

Vulnerability Log

101 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2022-1471	CRITICAL10	org.yaml:snakeyaml 1.33 fixed in 2.0	99.6% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2025-27817	CRITICAL10	org.apache.kafka:kafka-clients 3.4.0 fixed in 3.9.1	60.8% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2022-25647	HIGH8.62	com.google.code.gson:gson 2.8.6 fixed in 2.8.9	12.0% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2026-27727	HIGH8.33	com.mchange:mchange-commons-java 0.2.19 fixed in 0.4.0	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2024-1597	HIGH7.84	org.postgresql:postgresql 42.5.1 fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2	4.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2022-45688	HIGH7.5	org.json:json 20220320 fixed in 20230227	1.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-5072	HIGH7.5	org.json:json 20220320 fixed in 20231013	1.4% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-34455	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-43642	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.4	1.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-34453	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.7% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-34454	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.5% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2025-67030	HIGH7.48	org.codehaus.plexus:plexus-utils 3.3.0 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Directly Exposed
CVE-2023-22102	HIGH7.06	com.mysql:mysql-connector-j 8.0.32 fixed in 8.2.0	0.9% Theoretical Threat	Directly Exposed
CVE-2024-47561	HIGH7.04	org.apache.avro:avro 1.11.1 fixed in 1.11.4	3.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1.jre8 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM6.88	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2023-2974	MEDIUM6.88	io.quarkus:quarkus-core 2.14.0.Final fixed in 2.16.8.Final	0.7% Theoretical Threat	Directly Exposed
CVE-2026-27830	MEDIUM6.8	com.mchange:c3p0 0.9.5.5 fixed in 0.12.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-27818	MEDIUM6.8	org.apache.kafka:kafka_2.13 3.4.0 fixed in 3.9.1	0.9% Theoretical Threat	Directly Exposed
CVE-2023-34462	MEDIUM6.5	io.netty:netty-handler 4.1.78.Final fixed in 4.1.94.Final	2.5% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2025-52999	MEDIUM6.38	com.fasterxml.jackson.core:jackson-core 2.13.4 fixed in 2.15.0	0.6% Theoretical Threat	Directly Exposed
CVE-2022-3509	MEDIUM6.38	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.16.3, 3.19.6, 3.20.3, 3.21.7	0.6% Theoretical Threat	Directly Exposed
CVE-2022-3510	MEDIUM6.38	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.16.3, 3.19.6, 3.20.3, 3.21.7	0.5% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.grpc:grpc-netty-shaded 1.49.0 fixed in 1.75.0	0.9% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.78.Final fixed in 4.1.125.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2025-58056	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.125.Final, 4.2.5.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.4.Final, 4.1.124.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.1.78.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2023-31582	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	0.6% Theoretical Threat	Directly Exposed
CVE-2024-29371	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.6	0.2% Theoretical Threat	Directly Exposed
CVE-2023-51775	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.4	0.9% Theoretical Threat	Directly Exposed
CVE-2024-9823	MEDIUM6.38	org.eclipse.jetty:jetty-servlets 9.4.48.v20220622 fixed in 9.4.54, 10.0.18, 11.0.18	0.9% Theoretical Threat	Directly Exposed
CVE-2025-66566	MEDIUM6.38	org.lz4:lz4-java 1.8.0 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.5.1 fixed in 42.7.11	0.4% Theoretical Threat	Directly Exposed
CVE-2024-56128	MEDIUM6.29	org.apache.kafka:kafka_2.13 3.4.0 fixed in 3.7.2, 3.8.1	0.8% Theoretical Threat	Directly Exposed
CVE-2024-13009	MEDIUM6.12	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.57.v20241219	0.4% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 31.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2024-7254	MEDIUM6	com.google.protobuf:protobuf-java 3.19.6 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-7254	MEDIUM6	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-3171	MEDIUM6	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.21.7, 3.20.3, 3.19.6, 3.16.3	1.0% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2023-39410	MEDIUM6	org.apache.avro:avro 1.11.1 fixed in 1.11.3	1.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-2700	MEDIUM5.95	io.quarkus:quarkus-core 2.14.0.Final fixed in 3.9.2, 3.8.4, 3.2.12.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 3.4.0 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2024-23944	MEDIUM5.61	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.8.4, 3.9.2	0.2% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.8.Final, 4.1.129.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2023-5236	MEDIUM5.52	org.infinispan.protostream:protostream 4.6.0.Final fixed in 4.6.2.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2025-12183	MEDIUM5.52	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	0.7% Theoretical Threat	Directly Exposed
CVE-2024-29025	MEDIUM5.3	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.108.Final	1.4% Low-Moderate Risk	Directly Exposed
CVE-2024-31141	MEDIUM5.3	org.apache.kafka:kafka-clients 3.4.0 fixed in 3.7.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-40167	MEDIUM5.3	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 9.4.52, 10.0.16, 11.0.16, 12.0.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-26048	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14	3.3% Low-Moderate Risk	Directly Exposed
CVE-2023-26049	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14, 12.0.0.beta0	1.3% Low-Moderate Risk	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-connector-mysql 2.2.1.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-connector-sqlserver 2.2.1.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2023-1419	MEDIUM5.02	io.debezium:debezium-core 2.2.1.Final fixed in 2.3.0.Alpha1	0.4% Theoretical Threat	Directly Exposed
CVE-2024-41909	MEDIUM5.02	org.apache.sshd:sshd-common 2.7.0 fixed in 2.12.0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-47535	MEDIUM4.67	io.netty:netty-common 4.1.78.Final fixed in 4.1.115.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.78.Final fixed in 4.1.118.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2024-25710	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-26308	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2025-3588	MEDIUM4.5	org.jsonschema2pojo:jsonschema2pojo-core 1.1.1 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2024-47554	MEDIUM4.3	commons-io:commons-io 2.11.0 fixed in 2.14.0	1.2% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.12.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.8.1 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2023-35887	LOW3.65	org.apache.sshd:sshd-common 2.7.0 fixed in 2.9.3	1.0% Theoretical Threat	Directly Exposed
CVE-2022-45047	LOW3.53	org.apache.sshd:sshd-common 2.7.0 fixed in 2.9.2	3.6% Low-Moderate Risk	Post-Exploit
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.86.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2023-44981	LOW3.28	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.7.2, 3.8.3, 3.9.1	1.7% Low-Moderate Risk	Post-Exploit
CVE-2023-36479	LOW3.1	org.eclipse.jetty:jetty-servlets 9.4.48.v20220622 fixed in 9.4.52, 10.0.16, 11.0.16	1.0% Low-Moderate Risk	Directly Exposed
CVE-2026-42581	LOW3	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Post-Exploit
CVE-2020-8908	LOW2.8	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 31.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42584	LOW2.78	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-Exploit
CVE-2025-48924	NONE0	commons-lang:commons-lang 2.6 No fix yet	2.2% Low-Moderate Risk	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.13.4 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.78.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
GHSA-xpw8-rcwv-8f8p	NONE0	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.100.Final	—	Not Applicable
CVE-2026-33558	NONE0	org.apache.kafka:kafka-clients 3.4.0 fixed in 3.9.2, 4.0.1	0.5% Theoretical Threat	Not Applicable
GHSA-jgvc-jfgh-rjvv	NONE0	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	—	Not Applicable
GHSA-2r2c-cx56-8933	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable
GHSA-47qp-hqvx-6r3f	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable