Vulnerability Reporthyness/spring-cloud-config-server:jre17

hyness/spring-cloud-config-server:latesthyness/spring-cloud-config-server:jre17hyness/spring-cloud-config-server:5.0.3-569460f-jre17hyness/spring-cloud-config-server:5.0-jre17hyness/spring-cloud-config-server:5.0hyness/spring-cloud-config-server:5.0.3

DIGESTsha256:dad520bd94dc67cae079dd07f1ac24c7f592c07dd12dfd7053fa4748d249e656

Executive Summary

DANGEROUS

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. Attackers could exploit CVE-2026-42581 to perform HTTP request smuggling, bypassing security controls and gaining unauthorized access to sensitive configuration data, and CVE-2026-42587 to crash the server via memory exhaustion from compressed payloads. The Spring Boot default web security bypass (CVE-2026-40976) is conditional on missing custom security and specific dependencies, so its exploitability may be limited. No complete workarounds exist for the netty flaws; upgrading to patched versions is mandatory before any deployment.

Threat Score

75/100

DANGEROUS

57 exposed vulnerabilities, 9 with severity ≥6.0 and 1 critical (severity 8.33), including a high-impact HTTP request smuggling flaw in netty.
CVE-2026-42581 (CVSS 8.33) enables request smuggling in HTTP/1.0 messages, directly exposing the Spring Cloud Config Server to unauthorized access attacks.
Multiple high-severity netty vulnerabilities (e.g., CVE-2026-42587, CVE-2026-42585) cause denial of service and request smuggling with no special configuration required.
The image is a popular community build (18M+ pulls) but is not official or verified, and the high severity of findings outweighs reputation trust.

Reputation

RELIABLE

hyness

POPULAR COMMUNITY

High Reputation Community Image (18M+ pulls)
Pinned by digest (Immutable)

Vulnerabilities

Vulnerability Log

99 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-5598	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40542	MEDIUM6.21	org.apache.httpcomponents.client5:httpclient5 5.6 fixed in 5.6.1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-41293	MEDIUM6.21	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.6% Theoretical Threat	Directly Exposed
CVE-2026-40976	MEDIUM6.18	org.springframework.boot:spring-boot 4.0.5 fixed in 4.0.6	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-40973	MEDIUM5.95	org.springframework.boot:spring-boot 4.0.5 fixed in 4.0.6, 3.5.14	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-43512	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34487	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.117, 10.1.54, 11.0.21	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42498	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41726	MEDIUM5.52	org.springframework.kafka:spring-kafka 4.0.4 fixed in 4.0.6, 3.3.16	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22753	MEDIUM5.52	org.springframework.security:spring-security-config 7.0.4 fixed in 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22740	MEDIUM5.52	org.springframework:spring-webflux 7.0.6 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22747	MEDIUM5.5	org.springframework.security:spring-security-web 7.0.4 fixed in 7.0.5	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42587	MEDIUM5.1	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-48043	MEDIUM5.1	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22754	MEDIUM5.1	org.springframework.security:spring-security-config 7.0.4 fixed in 7.0.5	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5435	MEDIUM5.02	libc6 2.39-0ubuntu8.7 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webflux 7.0.6 fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 7.0.6 fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34483	MEDIUM4.59	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.116, 10.1.54, 11.0.21	0.5% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.39-0ubuntu8.7 No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webflux 7.0.6 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 7.0.6 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22751	MEDIUM4.08	org.springframework.security:spring-security-core 7.0.4 fixed in 6.5.10, 7.0.5	0.1% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libc6 2.39-0ubuntu8.7 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-kqueue 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-43514	LOW3.15	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.4% Theoretical Threat	Directly Exposed
CVE-2026-22746	LOW3.15	org.springframework.security:spring-security-core 7.0.4 fixed in 6.5.10, 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45674	LOW3.06	io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-Exploit
CVE-2026-47691	LOW3.06	io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42579	LOW2.78	io.netty:netty-codec-dns 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42584	LOW2.78	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.5% Theoretical Threat	Post-Exploit
CVE-2025-59250	LOW2.48	com.microsoft.sqlserver:mssql-jdbc 13.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Post-Exploit
CVE-2026-44894	LOW2.29	io.netty:netty-codec-classes-quic 4.2.12.Final fixed in 4.2.15.Final	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42578	LOW2.29	io.netty:netty-handler-proxy 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42198	LOW2.29	org.postgresql:postgresql 42.7.10 fixed in 42.7.11	0.4% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW1.81	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33811	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-33811	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.12.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42582	NONE0	io.netty:netty-codec-http3 4.2.12.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-44892	NONE0	io.netty:netty-codec-http3 4.2.12.Final fixed in 4.2.15.Final	0.5% Theoretical Threat	Not Applicable
CVE-2026-42577	NONE0	io.netty:netty-transport-native-epoll 4.2.12.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-43515	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.4% Theoretical Threat	Not Applicable
CVE-2026-41284	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.8% Theoretical Threat	Not Applicable
CVE-2026-43513	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.5% Theoretical Threat	Not Applicable
CVE-2026-41731	NONE0	org.springframework.kafka:spring-kafka 4.0.4 fixed in 4.0.6, 3.3.16	0.3% Theoretical Threat	Not Applicable
GHSA-2m67-wjpj-xhg9	NONE0	tools.jackson.core:jackson-core 3.1.0 fixed in 3.1.1	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib 1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib 1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib 1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable