Vulnerability Reportgocd/gocd-server:v23.4.0

gocd/gocd-server:v23.4.0

DIGESTsha256:958c1046c20c8be26447ccd07c6675e44d0a81847f194f20397b33a180820226

Executive Summary

Threat ScoreDANGEROUS• 115 total exposed vulnerabilities, with 24 rated high-severity (CVSS >= 7) and a maximum severity of 10.0.• Critical remote code execution vulnerabilities: CVE-2022-22965 (Spring Framework RCE) and CVE-2024-32002 (Git recursive clone RCE) both have severe impact and high exploitability.• ActiveMQ CVE-2026-34197 allows authenticated RCE with EPSS 0.96, and the Jolokia endpoint is likely exposed.• Multiple high-severity vulnerabilities in Spring, H2, and components enable unauthenticated or low-privilege attacks leading to full server compromise.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker can achieve remote code execution on the GoCD server via unauthenticated exploitation of Spring data binding (CVE-2022-22965) or malicious repository cloning (CVE-2024-32002), both of which are highly likely to succeed (EPSS > 0.99 and 0.25 respectively). Additionally, authenticated RCE via ActiveMQ Jolokia (CVE-2026-34197) is almost certain to be exploited if the interface is reachable. While some vulnerabilities require non-default configurations (e.g., H2 Console exposure), the core Spring and Git flaws are directly applicable to the typical GoCD deployment (WAR on Tomcat, SCM fetches) and offer no practical workarounds. The high volume (24 high-severity CVEs) and severity of the findings make this image unsuitable for any production environment without immediate remediation.

Vulnerabilities

Vulnerability Log

175 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2022-22965	CRITICAL10	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2022-22965	CRITICAL10	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2024-32002	CRITICAL10	git 2.40.1-r0 fixed in 2.40.3-r0	25.3% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2026-40466	HIGH8.8	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.6, 6.2.5	4.0% Low-Moderate Risk	Directly Exposed
CVE-2021-42392	HIGH8	com.h2database:h2 1.4.200 fixed in 2.0.206	63.2% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-23221	HIGH8	com.h2database:h2 1.4.200 fixed in 2.1.210	64.8% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2016-1000027	HIGH8	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.0.0	32.3% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-34197	HIGH8	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.5, 6.2.3	96.3% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-1597	HIGH7.84	org.postgresql:postgresql 42.6.0 fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2	4.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-6119	HIGH7.8	libcrypto3 3.1.4-r0 fixed in 3.1.7-r0	66.6% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-6119	HIGH7.8	libssl3 3.1.4-r0 fixed in 3.1.7-r0	66.6% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2024-38819	HIGH7.8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 6.1.14	54.9% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 10.0.18 fixed in 12.1.7, 12.0.33	0.5% Theoretical Threat	Directly Exposed
CVE-2023-52425	HIGH7.5	libexpat 2.5.0-r1 fixed in 2.6.0-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-28757	HIGH7.5	libexpat 2.5.0-r1 fixed in 2.6.2-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2024-45490	HIGH7.5	libexpat 2.5.0-r1 fixed in 2.6.3-r0	1.7% Low-Moderate Risk	Directly Exposed
CVE-2024-8176	HIGH7.5	libexpat 2.5.0-r1 fixed in 2.7.0-r0	1.6% Low-Moderate Risk	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-client 5.18.3 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-openwire-legacy 5.18.3 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2022-22950	HIGH7.47	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.17, 5.2.20.RELEASE	36.7% High Exploitation Risk	Directly Exposed
CVE-2020-25638	HIGH7.4	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.4.24.Final, 5.3.20.Final	2.9% Low-Moderate Risk	Directly Exposed
CVE-2024-38821	HIGH7.4	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4	1.7% Low-Moderate Risk	Directly Exposed
CVE-2025-48976	MEDIUM6.89	commons-fileupload:commons-fileupload 1.5 fixed in 1.6.0	63.3% Actively Exploited	Directly Exposed
CVE-2022-45868	MEDIUM6.63	com.h2database:h2 1.4.200 fixed in 2.2.220	0.3% Theoretical Threat	Directly Exposed
CVE-2023-6129	MEDIUM6.5	libcrypto3 3.1.4-r0 fixed in 3.1.4-r3	2.3% Low-Moderate Risk	Directly Exposed
CVE-2023-6129	MEDIUM6.5	libssl3 3.1.4-r0 fixed in 3.1.4-r3	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-29857	MEDIUM6.5	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-29857	MEDIUM6.5	org.bouncycastle:bcprov-jdk18on 1.76 fixed in 1.78	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-29857	MEDIUM6.5	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 10.0.18 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2019-14900	MEDIUM6.5	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.3.18, 5.4.18, 5.5.0.Beta1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2023-20863	MEDIUM6.5	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.8, 5.3.27, 5.2.24.RELEASE	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-22259	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.5, 6.0.18, 5.3.33	2.6% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-22262	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.34, 6.0.19, 6.1.6	1.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2023-6378	MEDIUM6.38	ch.qos.logback:logback-classic 1.4.11 fixed in 1.3.12, 1.4.12, 1.2.13	0.9% Theoretical Threat	Directly Exposed
CVE-2023-6378	MEDIUM6.38	ch.qos.logback:logback-core 1.4.11 fixed in 1.3.12, 1.4.12, 1.2.13	0.9% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-client 5.18.3 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.74 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.76 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2024-30172	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2024-30172	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.76 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2024-30172	MEDIUM6.38	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2025-7962	MEDIUM6.38	org.eclipse.angus:smtp 2.0.2 fixed in 2.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.6.0 fixed in 42.7.11	0.5% Theoretical Threat	Directly Exposed
CVE-2024-32004	MEDIUM6.24	git 2.40.1-r0 fixed in 2.40.3-r0	1.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2023-48795	MEDIUM6.14	openssh-client-common 9.3_p2-r0 fixed in 9.3_p2-r1	93.3% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2023-48795	MEDIUM6.14	openssh-client-default 9.3_p2-r0 fixed in 9.3_p2-r1	93.3% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2023-48795	MEDIUM6.14	openssh-keygen 9.3_p2-r0 fixed in 9.3_p2-r1	93.3% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-41044	MEDIUM6.12	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.6, 6.2.5	0.8% Theoretical Threat	Directly Exposed
CVE-2025-26519	MEDIUM5.95	musl 1.2.4-r2 fixed in 1.2.4-r3	0.3% Theoretical Threat	Directly Exposed
CVE-2025-26519	MEDIUM5.95	musl-utils 1.2.4-r2 fixed in 1.2.4-r3	0.3% Theoretical Threat	Directly Exposed
CVE-2023-6237	MEDIUM5.9	libcrypto3 3.1.4-r0 fixed in 3.1.4-r4	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-5535	MEDIUM5.9	libcrypto3 3.1.4-r0 fixed in 3.1.6-r0	5.6% Low-Moderate Risk	Directly Exposed
CVE-2024-50602	MEDIUM5.9	libexpat 2.5.0-r1 fixed in 2.6.4-r0	1.0% Low-Moderate Risk	Directly Exposed
CVE-2023-6237	MEDIUM5.9	libssl3 3.1.4-r0 fixed in 3.1.4-r4	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-5535	MEDIUM5.9	libssl3 3.1.4-r0 fixed in 3.1.6-r0	5.6% Low-Moderate Risk	Directly Exposed
CVE-2024-4741	MEDIUM5.6	libcrypto3 3.1.4-r0 fixed in 3.1.6-r0	2.9% Low-Moderate Risk	Directly Exposed
CVE-2024-4741	MEDIUM5.6	libssl3 3.1.4-r0 fixed in 3.1.6-r0	2.9% Low-Moderate Risk	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.76 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 10.0.18 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 6.5.9, 7.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2023-20861	MEDIUM5.52	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.7, 5.3.26, 5.2.23.RELEASE	1.0% Theoretical Threat	Directly Exposed
CVE-2024-0727	MEDIUM5.5	libcrypto3 3.1.4-r0 fixed in 3.1.4-r5	3.2% Low-Moderate Risk	Directly Exposed
CVE-2024-0727	MEDIUM5.5	libssl3 3.1.4-r0 fixed in 3.1.4-r5	3.2% Low-Moderate Risk	Directly Exposed
CVE-2025-11226	MEDIUM5.44	ch.qos.logback:logback-core 1.4.11 fixed in 1.5.19, 1.3.16	0.2% Theoretical Threat	Directly Exposed
CVE-2023-5678	MEDIUM5.3	libcrypto3 3.1.4-r0 fixed in 3.1.4-r1	4.5% Low-Moderate Risk	Directly Exposed
CVE-2024-4603	MEDIUM5.3	libcrypto3 3.1.4-r0 fixed in 3.1.5-r0	1.1% Low-Moderate Risk	Directly Exposed
CVE-2023-5678	MEDIUM5.3	libssl3 3.1.4-r0 fixed in 3.1.4-r1	4.5% Low-Moderate Risk	Directly Exposed
CVE-2024-4603	MEDIUM5.3	libssl3 3.1.4-r0 fixed in 3.1.5-r0	1.1% Low-Moderate Risk	Directly Exposed
CVE-2025-4949	MEDIUM5.3	org.eclipse.jgit:org.eclipse.jgit 6.7.0.202309050840-r fixed in 7.2.1.202505142326-r, 7.1.1.202505221757-r, 7.0.1.202505221510-r, 6.10.1.202505221210-r, 6.0.0.202111291000-r, 5.13.4.202507202350-r	1.1% Low-Moderate Risk	Directly Exposed
CVE-2022-22970	MEDIUM5.3	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.22.RELEASE, 5.3.20	1.9% Low-Moderate Risk	Directly Exposed
CVE-2022-22968	MEDIUM5.3	org.springframework:spring-context 4.3.30.RELEASE fixed in 5.3.19, 5.2.21.RELEASE	5.4% Low-Moderate Risk	Directly Exposed
CVE-2024-30171	MEDIUM5.02	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.9% Theoretical Threat	Directly Exposed
CVE-2024-30171	MEDIUM5.02	org.bouncycastle:bcprov-jdk18on 1.76 fixed in 1.78	0.9% Theoretical Threat	Directly Exposed
CVE-2024-30171	MEDIUM5.02	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38808	MEDIUM5.02	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.39	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2024-2511	MEDIUM4.81	libcrypto3 3.1.4-r0 fixed in 3.1.4-r6	54.0% Actively Exploited	Directly Exposed
CVE-2024-2511	MEDIUM4.81	libssl3 3.1.4-r0 fixed in 3.1.4-r6	54.0% Actively Exploited	Directly Exposed
CVE-2023-52426	MEDIUM4.67	libexpat 2.5.0-r1 fixed in 2.6.0-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2024-12798	MEDIUM4.67	ch.qos.logback:logback-core 1.4.11 fixed in 1.5.13, 1.3.15	0.4% Theoretical Threat	Directly Exposed
CVE-2024-6197	MEDIUM4.5	curl 8.4.0-r0 fixed in 8.9.0-r0	4.3% Low-Moderate Risk	Post-Exploit
CVE-2024-52006	MEDIUM4.5	git 2.40.1-r0 fixed in 2.40.4-r0	1.0% Low-Moderate Risk	Post-Exploit
CVE-2024-6197	MEDIUM4.5	libcurl 8.4.0-r0 fixed in 8.9.0-r0	4.3% Low-Moderate Risk	Post-Exploit
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk18on 1.74 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk18on 1.76 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2024-34447	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2025-8885	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.5% Theoretical Threat	Directly Exposed
CVE-2024-34447	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.76 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2025-8885	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.76 fixed in 1.78	0.5% Theoretical Threat	Directly Exposed
CVE-2025-8885	MEDIUM4.5	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	0.5% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 10.0.18 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2024-38809	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.38, 6.0.23, 6.1.12	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2024-7264	MEDIUM4.48	curl 8.4.0-r0 fixed in 8.9.1-r0	16.2% High Exploitation Risk	Post-Exploit
CVE-2024-7264	MEDIUM4.48	libcurl 8.4.0-r0 fixed in 8.9.1-r0	16.2% High Exploitation Risk	Post-Exploit
CVE-2024-29131	MEDIUM4.4	org.apache.commons:commons-configuration2 2.9.0 fixed in 2.10.1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2024-29133	MEDIUM4.4	org.apache.commons:commons-configuration2 2.9.0 fixed in 2.10.1	1.7% Low-Moderate Risk	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.4.11 fixed in 1.5.25	0.2% Theoretical Threat	Directly Exposed
CVE-2025-26465	MEDIUM4.08	openssh-client-common 9.3_p2-r0 fixed in 9.3_p2-r3	7.0% Low-Moderate Risk	Post-Exploit
CVE-2025-26465	MEDIUM4.08	openssh-client-default 9.3_p2-r0 fixed in 9.3_p2-r3	7.0% Low-Moderate Risk	Post-Exploit
CVE-2025-26465	MEDIUM4.08	openssh-keygen 9.3_p2-r0 fixed in 9.3_p2-r3	7.0% Low-Moderate Risk	Post-Exploit
CVE-2024-38827	MEDIUM4.08	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.14, 5.8.16, 6.0.14, 6.1.12, 6.2.8, 6.3.5	0.4% Theoretical Threat	Directly Exposed
CVE-2024-13176	MEDIUM4	libcrypto3 3.1.4-r0 fixed in 3.1.8-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-13176	MEDIUM4	libssl3 3.1.4-r0 fixed in 3.1.8-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-32465	LOW3.98	git 2.40.1-r0 fixed in 2.40.3-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-41043	LOW3.91	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.6, 6.2.5	0.6% Theoretical Threat	Directly Exposed
CVE-2023-46218	LOW3.9	curl 8.4.0-r0 fixed in 8.5.0-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2024-9681	LOW3.9	curl 8.4.0-r0 fixed in 8.11.0-r0	2.0% Low-Moderate Risk	Post-Exploit
CVE-2023-46218	LOW3.9	libcurl 8.4.0-r0 fixed in 8.5.0-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2024-9681	LOW3.9	libcurl 8.4.0-r0 fixed in 8.11.0-r0	2.0% Low-Moderate Risk	Post-Exploit
CVE-2024-6387	LOW3.79	openssh-client-common 9.3_p2-r0 fixed in 9.3_p2-r2	99.5% Actively Exploited	Post-Exploit
CVE-2024-6387	LOW3.79	openssh-client-default 9.3_p2-r0 fixed in 9.3_p2-r2	99.5% Actively Exploited	Post-Exploit
CVE-2024-6387	LOW3.79	openssh-keygen 9.3_p2-r0 fixed in 9.3_p2-r2	99.5% Actively Exploited	Post-Exploit
CVE-2024-9143	LOW3.7	libcrypto3 3.1.4-r0 fixed in 3.1.7-r1	6.0% Low-Moderate Risk	Directly Exposed
CVE-2024-9143	LOW3.7	libssl3 3.1.4-r0 fixed in 3.1.7-r1	6.0% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.13.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-client 5.18.3 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2024-32021	LOW3.62	git 2.40.1-r0 fixed in 2.40.3-r0	1.0% Theoretical Threat	Post-Exploit
CVE-2024-11053	LOW3.54	curl 8.4.0-r0 fixed in 8.11.1-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-11053	LOW3.54	libcurl 8.4.0-r0 fixed in 8.11.1-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-45491	LOW3.53	libexpat 2.5.0-r1 fixed in 2.6.3-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2024-45492	LOW3.53	libexpat 2.5.0-r1 fixed in 2.6.3-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-22243	LOW3.4	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.4, 6.0.17, 5.3.32	4.0% Low-Moderate Risk	Directly Exposed
CVE-2024-8096	LOW3.31	curl 8.4.0-r0 fixed in 8.10.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2024-8096	LOW3.31	libcurl 8.4.0-r0 fixed in 8.10.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2021-23463	LOW3.28	com.h2database:h2 1.4.200 fixed in 2.0.202	3.3% Low-Moderate Risk	Post-Exploit
CVE-2024-2379	LOW3.24	curl 8.4.0-r0 fixed in 8.7.1-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2024-2379	LOW3.24	libcurl 8.4.0-r0 fixed in 8.7.1-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2023-46219	LOW3.18	curl 8.4.0-r0 fixed in 8.5.0-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2024-0853	LOW3.18	curl 8.4.0-r0 fixed in 8.6.0-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2024-2466	LOW3.18	curl 8.4.0-r0 fixed in 8.7.1-r0	1.3% Low-Moderate Risk	Post-Exploit
CVE-2024-2004	LOW3.18	curl 8.4.0-r0 fixed in 8.7.1-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2023-46219	LOW3.18	libcurl 8.4.0-r0 fixed in 8.5.0-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2024-0853	LOW3.18	libcurl 8.4.0-r0 fixed in 8.6.0-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2024-2466	LOW3.18	libcurl 8.4.0-r0 fixed in 8.7.1-r0	1.3% Low-Moderate Risk	Post-Exploit
CVE-2024-2004	LOW3.18	libcurl 8.4.0-r0 fixed in 8.7.1-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2021-22112	LOW3.17	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.4.4, 5.3.8, 5.2.9	3.2% Low-Moderate Risk	Post-Exploit
CVE-2025-46551	LOW3.15	rubygems:jruby-openssl 0.14.2 fixed in 0.15.4	0.2% Theoretical Threat	Directly Exposed
CVE-2024-2398	LOW3.1	curl 8.4.0-r0 fixed in 8.7.1-r0	36.1% High Exploitation Risk	Post-Exploit
CVE-2024-2398	LOW3.1	libcurl 8.4.0-r0 fixed in 8.7.1-r0	36.1% High Exploitation Risk	Post-Exploit
CVE-2024-22257	LOW3	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.12, 5.8.11, 6.1.8, 6.2.3	0.8% Theoretical Threat	Post-Exploit
CVE-2023-42363	LOW2.8	busybox 1.36.1-r4 fixed in 1.36.1-r7	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42364	LOW2.8	busybox 1.36.1-r4 fixed in 1.36.1-r7	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42365	LOW2.8	busybox 1.36.1-r4 fixed in 1.36.1-r7	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42366	LOW2.8	busybox 1.36.1-r4 fixed in 1.36.1-r6	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42363	LOW2.8	busybox-binsh 1.36.1-r4 fixed in 1.36.1-r7	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42364	LOW2.8	busybox-binsh 1.36.1-r4 fixed in 1.36.1-r7	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42365	LOW2.8	busybox-binsh 1.36.1-r4 fixed in 1.36.1-r7	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42366	LOW2.8	busybox-binsh 1.36.1-r4 fixed in 1.36.1-r6	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42363	LOW2.8	ssl_client 1.36.1-r4 fixed in 1.36.1-r7	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42364	LOW2.8	ssl_client 1.36.1-r4 fixed in 1.36.1-r7	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42365	LOW2.8	ssl_client 1.36.1-r4 fixed in 1.36.1-r7	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42366	LOW2.8	ssl_client 1.36.1-r4 fixed in 1.36.1-r6	0.4% Theoretical Threat	Post-Exploit
CVE-2024-12801	LOW2.8	ch.qos.logback:logback-core 1.4.11 fixed in 1.5.13, 1.3.15	0.2% Theoretical Threat	Directly Exposed
CVE-2024-50349	LOW2.4	git 2.40.1-r0 fixed in 2.40.4-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2025-0665	LOW2.4	curl 8.4.0-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	curl 8.4.0-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0665	LOW2.4	libcurl 8.4.0-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	libcurl 8.4.0-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2024-6874	LOW2.19	curl 8.4.0-r0 fixed in 8.9.0-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2024-6874	LOW2.19	libcurl 8.4.0-r0 fixed in 8.9.0-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2024-32020	LOW1.68	git 2.40.1-r0 fixed in 2.40.3-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2025-0167	NONE0	curl 8.4.0-r0 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
CVE-2025-0167	NONE0	libcurl 8.4.0-r0 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.15.3 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.9.0 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2025-22233	NONE0	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.2.7, 6.1.20	0.3% Theoretical Threat	Not Applicable