Vulnerability Reportdebezium/connect:2.3

debezium/connect:2.3

DIGESTsha256:aed61061794191c97e89e1e81f4547354f6ea90bbed67e8811182a777425e158

Executive Summary

Threat ScoreDANGEROUS• 91 exposed vulnerabilities with 15 at severity 7+ and maximum severity 8.5, indicating critical risk.• DNS cache poisoning via CVE-2026-45674 and CVE-2026-47691 (CVSS 8.5) in Netty DNS client enables man-in-the-middle attacks, compromising data confidentiality and integrity.• HTTP request smuggling vulnerability CVE-2026-2332 (CVSS 7.73) in Jetty server can bypass security controls and access internal endpoints.• Multiple high-severity DoS vulnerabilities (e.g., CVE-2024-7254, CVE-2023-39410) allow remote attackers to crash the container via crafted input.• Despite high community trust (RELIABLE, 51M+ pulls), the severity and reachability of these flaws make this image unsuitable for production.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (51M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker can exploit DNS cache poisoning to redirect traffic and intercept data, use HTTP request smuggling to bypass authentication, or cause denial of service via memory exhaustion from crafted Protobuf, Avro, or Snappy payloads. These vulnerabilities are remotely exploitable without authentication and affect core components like Netty DNS and Jetty HTTP, which are integral to the container's operation. No compensating controls are available that fully eliminate these risks; strict network segmentation and input validation are insufficient to prevent exploitation.

Vulnerabilities

Vulnerability Log

100 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45674	HIGH8.5	io.netty:netty-resolver-dns 4.1.86.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-47691	HIGH8.5	io.netty:netty-resolver-dns 4.1.86.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42579	HIGH7.73	io.netty:netty-codec-dns 4.1.86.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42584	HIGH7.73	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2024-7254	HIGH7.5	com.google.protobuf:protobuf-java 3.19.6 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly Exposed
CVE-2024-7254	HIGH7.5	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly Exposed
CVE-2023-39410	HIGH7.5	org.apache.avro:avro 1.11.1 fixed in 1.11.3	1.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-5072	HIGH7.5	org.json:json 20220320 fixed in 20231013	1.4% Low-Moderate Risk	Directly Exposed
CVE-2023-34455	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-43642	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.4	1.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-34453	HIGH7.5	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.7% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2025-67030	HIGH7.48	org.codehaus.plexus:plexus-utils 3.3.0 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Directly Exposed
CVE-2023-22102	HIGH7.06	com.mysql:mysql-connector-j 8.0.33 fixed in 8.2.0	0.9% Theoretical Threat	Directly Exposed
CVE-2024-47561	HIGH7.04	org.apache.avro:avro 1.11.1 fixed in 1.11.4	3.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1.jre8 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM6.88	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2023-2974	MEDIUM6.88	io.quarkus:quarkus-core 2.14.0.Final fixed in 2.16.8.Final	0.7% Theoretical Threat	Directly Exposed
CVE-2026-27830	MEDIUM6.8	com.mchange:c3p0 0.9.5.5 fixed in 0.12.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-27818	MEDIUM6.8	org.apache.kafka:kafka_2.13 3.4.0 fixed in 3.9.1	0.9% Theoretical Threat	Directly Exposed
CVE-2026-27727	MEDIUM6.66	com.mchange:mchange-commons-java 0.2.19 fixed in 0.4.0	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2023-34462	MEDIUM6.5	io.netty:netty-handler 4.1.78.Final fixed in 4.1.94.Final	2.5% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2025-52999	MEDIUM6.38	com.fasterxml.jackson.core:jackson-core 2.13.4 fixed in 2.15.0	0.6% Theoretical Threat	Directly Exposed
CVE-2022-3509	MEDIUM6.38	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.16.3, 3.19.6, 3.20.3, 3.21.7	0.6% Theoretical Threat	Directly Exposed
CVE-2022-3510	MEDIUM6.38	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.16.3, 3.19.6, 3.20.3, 3.21.7	0.5% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.grpc:grpc-netty-shaded 1.49.0 fixed in 1.75.0	0.9% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.78.Final fixed in 4.1.125.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2025-58056	MEDIUM6.38	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.125.Final, 4.2.5.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.4.Final, 4.1.124.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.1.78.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2023-31582	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	0.6% Theoretical Threat	Directly Exposed
CVE-2024-29371	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.6	0.2% Theoretical Threat	Directly Exposed
CVE-2023-51775	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.4	0.9% Theoretical Threat	Directly Exposed
CVE-2024-9823	MEDIUM6.38	org.eclipse.jetty:jetty-servlets 9.4.48.v20220622 fixed in 9.4.54, 10.0.18, 11.0.18	0.9% Theoretical Threat	Directly Exposed
CVE-2025-66566	MEDIUM6.38	org.lz4:lz4-java 1.8.0 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.5.1 fixed in 42.7.11	0.4% Theoretical Threat	Directly Exposed
CVE-2024-56128	MEDIUM6.29	org.apache.kafka:kafka_2.13 3.4.0 fixed in 3.7.2, 3.8.1	0.8% Theoretical Threat	Directly Exposed
CVE-2024-13009	MEDIUM6.12	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.57.v20241219	0.4% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 31.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-34454	MEDIUM6	org.xerial.snappy:snappy-java 1.1.8.4 fixed in 1.1.10.1	1.5% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-2700	MEDIUM5.95	io.quarkus:quarkus-core 2.14.0.Final fixed in 3.9.2, 3.8.4, 3.2.12.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.1.86.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 3.4.0 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2024-23944	MEDIUM5.61	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.8.4, 3.9.2	0.2% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.8.Final, 4.1.129.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2025-12183	MEDIUM5.52	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	0.7% Theoretical Threat	Directly Exposed
CVE-2024-29025	MEDIUM5.3	io.netty:netty-codec-http 4.1.78.Final fixed in 4.1.108.Final	1.4% Low-Moderate Risk	Directly Exposed
CVE-2024-31141	MEDIUM5.3	org.apache.kafka:kafka-clients 3.4.0 fixed in 3.7.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-40167	MEDIUM5.3	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 9.4.52, 10.0.16, 11.0.16, 12.0.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-26048	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14	3.3% Low-Moderate Risk	Directly Exposed
CVE-2023-26049	MEDIUM5.3	org.eclipse.jetty:jetty-server 9.4.48.v20220622 fixed in 9.4.51.v20230217, 10.0.14, 11.0.14, 12.0.0.beta0	1.3% Low-Moderate Risk	Directly Exposed
CVE-2024-41909	MEDIUM5.02	org.apache.sshd:sshd-common 2.9.2 fixed in 2.12.0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-47535	MEDIUM4.67	io.netty:netty-common 4.1.78.Final fixed in 4.1.115.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.78.Final fixed in 4.1.118.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2024-25710	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-26308	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.9% Theoretical Threat	Directly Exposed
CVE-2022-1471	MEDIUM4.58	org.yaml:snakeyaml 1.33 fixed in 2.0	99.6% Actively Exploited	Post-Exploit
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 9.4.48.v20220622 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2025-3588	MEDIUM4.5	org.jsonschema2pojo:jsonschema2pojo-core 1.1.1 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2024-47554	MEDIUM4.3	commons-io:commons-io 2.11.0 fixed in 2.14.0	1.2% Low-Moderate Risk	Directly Exposed
CVE-2025-27817	LOW3.79	org.apache.kafka:kafka-clients 3.4.0 fixed in 3.9.1	60.8% Actively Exploited	Post-Exploit
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.12.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.8.1 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2023-35887	LOW3.65	org.apache.sshd:sshd-common 2.9.2 fixed in 2.9.3	1.0% Theoretical Threat	Directly Exposed
CVE-2024-1597	LOW3.53	org.postgresql:postgresql 42.5.1 fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2	4.8% Low-Moderate Risk	Post-Exploit
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.78.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.86.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2023-44981	LOW3.28	org.apache.zookeeper:zookeeper 3.6.3 fixed in 3.7.2, 3.8.3, 3.9.1	1.7% Low-Moderate Risk	Post-Exploit
CVE-2022-25647	LOW3.1	com.google.code.gson:gson 2.8.6 fixed in 2.8.9	12.0% High Exploitation Risk	Post-Exploit
CVE-2023-36479	LOW3.1	org.eclipse.jetty:jetty-servlets 9.4.48.v20220622 fixed in 9.4.52, 10.0.16, 11.0.16	1.0% Low-Moderate Risk	Directly Exposed
CVE-2026-42581	LOW3	io.netty:netty-codec-http 4.1.78.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Post-Exploit
CVE-2020-8908	LOW2.8	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 31.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2022-3171	LOW2.7	com.google.protobuf:protobuf-java 3.21.6 fixed in 3.21.7, 3.20.3, 3.19.6, 3.16.3	1.0% Low-Moderate Risk	Post-Exploit
CVE-2022-45688	LOW2.7	org.json:json 20220320 fixed in 20230227	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-48924	NONE0	commons-lang:commons-lang 2.6 No fix yet	2.2% Low-Moderate Risk	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.13.4 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.78.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
GHSA-xpw8-rcwv-8f8p	NONE0	io.netty:netty-codec-http2 4.1.78.Final fixed in 4.1.100.Final	—	Not Applicable
CVE-2026-33558	NONE0	org.apache.kafka:kafka-clients 3.4.0 fixed in 3.9.2, 4.0.1	0.5% Theoretical Threat	Not Applicable
GHSA-jgvc-jfgh-rjvv	NONE0	org.bitbucket.b_c:jose4j 0.7.9 fixed in 0.9.3	—	Not Applicable
GHSA-2r2c-cx56-8933	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable
GHSA-47qp-hqvx-6r3f	NONE0	org.jline:jline-remote-telnet 3.21.0 fixed in 4.2.1	—	Not Applicable