Vulnerability Reportdebezium/connect:2.4

debezium/connect:2.4

DIGESTsha256:189d2276b8e1b49aea6819ae17196b1e036b3b8d32499b158fe0e21ec2b3e83f

Executive Summary

Threat ScoreDANGEROUS• 83 exposed vulnerabilities, including 8 with severity >=7 and max severity 10.0 (CVE-2025-27817).• Multiple HIGH-severity CVEs remotely exploitable in Kafka Connect context: RCE via Avro (CVE-2024-47561), file read/SSRF (CVE-2025-27817), memory exhaustion (CVE-2023-39410).• No post-exploit findings, but exposed surface is extensive and directly accessible via REST API.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (51M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution via malicious Avro schema (CVE-2024-47561) or arbitrary file read/SSRF through Kafka Client OAuth configuration (CVE-2025-27817), and cause denial of service via Avro memory exhaustion (CVE-2023-39410) or crafted JSON (CVE-2023-5072). Note that CVE-2024-1597 requires non-default PostgreSQL mode and CVE-2022-1471 is only exploitable if YAML from untrusted sources is processed, but the highest-severity issues have no such prerequisites.

Vulnerabilities

Vulnerability Log

93 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2025-27817	CRITICAL10	org.apache.kafka:kafka-clients 3.5.1 fixed in 3.9.1	60.8% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2024-47561	HIGH8.8	org.apache.avro:avro 1.11.1 fixed in 1.11.4	3.3% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-1471	HIGH8	org.yaml:snakeyaml 1.33 fixed in 2.0	99.6% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-1597	HIGH7.84	org.postgresql:postgresql 42.6.0 fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2	4.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 9.4.51.v20230217 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2023-39410	HIGH7.5	org.apache.avro:avro 1.11.1 fixed in 1.11.3	1.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-5072	HIGH7.5	org.json:json 20220320 fixed in 20231013	1.4% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-43642	HIGH7.5	org.xerial.snappy:snappy-java 1.1.10.1 fixed in 1.1.10.4	1.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM6.88	com.microsoft.sqlserver:mssql-jdbc 10.2.1.jre8 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM6.88	io.netty:netty-handler 4.1.94.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2023-2974	MEDIUM6.88	io.quarkus:quarkus-core 2.14.0.Final fixed in 2.16.8.Final	0.7% Theoretical Threat	Directly Exposed
CVE-2026-27830	MEDIUM6.8	com.mchange:c3p0 0.9.5.5 fixed in 0.12.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-27818	MEDIUM6.8	org.apache.kafka:kafka_2.13 3.5.1 fixed in 3.9.1	0.9% Theoretical Threat	Directly Exposed
CVE-2024-27309	MEDIUM6.8	org.apache.kafka:kafka-metadata 3.5.1 fixed in 3.6.2	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 9.4.51.v20230217 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2025-52999	MEDIUM6.38	com.fasterxml.jackson.core:jackson-core 2.13.4 fixed in 2.15.0	0.6% Theoretical Threat	Directly Exposed
CVE-2025-52999	MEDIUM6.38	com.fasterxml.jackson.core:jackson-core 2.13.5 fixed in 2.15.0	0.6% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.grpc:grpc-netty-shaded 1.49.0 fixed in 1.75.0	0.9% Theoretical Threat	Directly Exposed
CVE-2025-58057	MEDIUM6.38	io.netty:netty-codec 4.1.94.Final fixed in 4.1.125.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33870	MEDIUM6.38	io.netty:netty-codec-http 4.1.94.Final fixed in 4.1.132.Final, 4.2.10.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.1.94.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.1.94.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2025-58056	MEDIUM6.38	io.netty:netty-codec-http 4.1.94.Final fixed in 4.1.125.Final, 4.2.5.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2025-55163	MEDIUM6.38	io.netty:netty-codec-http2 4.1.94.Final fixed in 4.2.4.Final, 4.1.124.Final	0.9% Theoretical Threat	Directly Exposed
CVE-2026-33871	MEDIUM6.38	io.netty:netty-codec-http2 4.1.94.Final fixed in 4.1.132.Final, 4.2.11.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.1.94.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.1.94.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.94.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.94.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	MEDIUM6.38	io.netty:netty-handler-proxy 4.1.94.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-45292	MEDIUM6.38	io.opentelemetry:opentelemetry-api 1.23.1 fixed in 1.62.0	0.5% Theoretical Threat	Directly Exposed
CVE-2024-29371	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.9.3 fixed in 0.9.6	0.2% Theoretical Threat	Directly Exposed
CVE-2023-51775	MEDIUM6.38	org.bitbucket.b_c:jose4j 0.9.3 fixed in 0.9.4	0.9% Theoretical Threat	Directly Exposed
CVE-2024-9823	MEDIUM6.38	org.eclipse.jetty:jetty-servlets 9.4.51.v20230217 fixed in 9.4.54, 10.0.18, 11.0.18	0.9% Theoretical Threat	Directly Exposed
CVE-2025-66566	MEDIUM6.38	org.lz4:lz4-java 1.8.0 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.6.0 fixed in 42.7.11	0.4% Theoretical Threat	Directly Exposed
CVE-2024-56128	MEDIUM6.29	org.apache.kafka:kafka_2.13 3.5.1 fixed in 3.7.2, 3.8.1	0.8% Theoretical Threat	Directly Exposed
CVE-2024-13009	MEDIUM6.12	org.eclipse.jetty:jetty-server 9.4.51.v20230217 fixed in 9.4.57.v20241219	0.4% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2023-2976	MEDIUM6.03	com.google.guava:guava 31.1-jre fixed in 32.0.0-android	0.2% Theoretical Threat	Directly Exposed
CVE-2024-7254	MEDIUM6	com.google.protobuf:protobuf-java 3.21.7 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-7254	MEDIUM6	com.google.protobuf:protobuf-java 3.25.1 fixed in 3.25.5, 4.27.5, 4.28.2	2.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-45688	MEDIUM6	org.json:json 20220320 fixed in 20230227	1.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-67030	MEDIUM5.98	org.codehaus.plexus:plexus-utils 3.3.1 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2024-2700	MEDIUM5.95	io.quarkus:quarkus-core 2.14.0.Final fixed in 3.9.2, 3.8.4, 3.2.12.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.1.86.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-35554	MEDIUM5.78	org.apache.kafka:kafka-clients 3.5.1 fixed in 3.9.2, 4.0.2, 4.1.2	0.3% Theoretical Threat	Directly Exposed
CVE-2024-23944	MEDIUM5.61	org.apache.zookeeper:zookeeper 3.6.4 fixed in 3.8.4, 3.9.2	0.2% Theoretical Threat	Directly Exposed
CVE-2025-67735	MEDIUM5.52	io.netty:netty-codec-http 4.1.94.Final fixed in 4.2.8.Final, 4.1.129.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.1.94.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.1.94.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 9.4.51.v20230217 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2025-12183	MEDIUM5.52	org.lz4:lz4-java 1.8.0 fixed in 1.8.1	0.7% Theoretical Threat	Directly Exposed
CVE-2024-29025	MEDIUM5.3	io.netty:netty-codec-http 4.1.94.Final fixed in 4.1.108.Final	1.4% Low-Moderate Risk	Directly Exposed
CVE-2024-31141	MEDIUM5.3	org.apache.kafka:kafka-clients 3.5.1 fixed in 3.7.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-40167	MEDIUM5.3	org.eclipse.jetty:jetty-http 9.4.51.v20230217 fixed in 9.4.52, 10.0.16, 11.0.16, 12.0.1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-41909	MEDIUM5.02	org.apache.sshd:sshd-common 2.9.2 fixed in 2.12.0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-47535	MEDIUM4.67	io.netty:netty-common 4.1.94.Final fixed in 4.1.115.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2025-25193	MEDIUM4.67	io.netty:netty-common 4.1.94.Final fixed in 4.1.118.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2024-25710	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-26308	MEDIUM4.67	org.apache.commons:commons-compress 1.21 fixed in 1.26.0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.1.94.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.1.94.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.1.94.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 9.4.51.v20230217 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2025-3588	MEDIUM4.5	org.jsonschema2pojo:jsonschema2pojo-core 1.1.1 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2024-47554	MEDIUM4.3	commons-io:commons-io 2.11.0 fixed in 2.14.0	1.2% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.12.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.8.1 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2023-35887	LOW3.65	org.apache.sshd:sshd-common 2.9.2 fixed in 2.9.3	1.0% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.86.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.94.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2023-44981	LOW3.28	org.apache.zookeeper:zookeeper 3.6.4 fixed in 3.7.2, 3.8.3, 3.9.1	1.7% Low-Moderate Risk	Post-Exploit
CVE-2023-36479	LOW3.1	org.eclipse.jetty:jetty-servlets 9.4.51.v20230217 fixed in 9.4.52, 10.0.16, 11.0.16	1.0% Low-Moderate Risk	Directly Exposed
CVE-2026-45674	LOW3.06	io.netty:netty-resolver-dns 4.1.86.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-Exploit
CVE-2026-47691	LOW3.06	io.netty:netty-resolver-dns 4.1.86.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-Exploit
CVE-2026-27727	LOW3	com.mchange:mchange-commons-java 0.2.19 fixed in 0.4.0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42581	LOW3	io.netty:netty-codec-http 4.1.94.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Post-Exploit
CVE-2020-8908	LOW2.8	com.google.guava:guava 30.1.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2020-8908	LOW2.8	com.google.guava:guava 31.1-jre fixed in 32.0.0-android	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42579	LOW2.78	io.netty:netty-codec-dns 4.1.86.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42584	LOW2.78	io.netty:netty-codec-http 4.1.94.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-Exploit
CVE-2025-24970	LOW2.7	io.netty:netty-handler 4.1.94.Final fixed in 4.1.118.Final	2.0% Low-Moderate Risk	Post-Exploit
CVE-2023-22102	LOW2.54	com.mysql:mysql-connector-j 8.0.33 fixed in 8.2.0	0.9% Theoretical Threat	Post-Exploit
CVE-2025-48924	NONE0	commons-lang:commons-lang 2.6 No fix yet	2.2% Low-Moderate Risk	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.13.4 fixed in 2.21.1, 2.18.6	—	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.13.5 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.94.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable
GHSA-xpw8-rcwv-8f8p	NONE0	io.netty:netty-codec-http2 4.1.94.Final fixed in 4.1.100.Final	—	Not Applicable
CVE-2026-33558	NONE0	org.apache.kafka:kafka-clients 3.5.1 fixed in 3.9.2, 4.0.1	0.5% Theoretical Threat	Not Applicable
GHSA-2r2c-cx56-8933	NONE0	org.jline:jline-remote-telnet 3.22.0 fixed in 4.2.1	—	Not Applicable
GHSA-47qp-hqvx-6r3f	NONE0	org.jline:jline-remote-telnet 3.22.0 fixed in 4.2.1	—	Not Applicable