Vulnerability Reporthyness/spring-cloud-config-server:jdk17

Name: hyness/spring-cloud-config-server:5.0.3-569460f-jdk17 Security Vulnerability Report
Creator: BaseImage
Keywords: hyness/spring-cloud-config-server:5.0.3-569460f-jdk17, Docker security, vulnerability scan, CVE, container security, SBOM

hyness/spring-cloud-config-server:jdk17hyness/spring-cloud-config-server:5.0.3-569460f-jdk17hyness/spring-cloud-config-server:5.0-jdk17

DIGESTsha256:8877867995e81ea5381dc24c936c4afa0ba2260b67eb537753600f5f928c4331

Executive Summary

DANGEROUS

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve unauthorized access to all application endpoints, bypass security mechanisms through request smuggling, or trigger sensitive information disclosure. Key vulnerabilities include CVE-2026-42581, a high-severity request smuggling flaw in Netty, and CVE-2026-40976, a Spring Boot security bypass that could allow unauthorized access to all endpoints. While some vulnerabilities require specific conditions to be met, their presence and high impact necessitate immediate remediation or image replacement.

Threat Score

100/100

DANGEROUS

Multiple critical EXPOSED_SURFACE vulnerabilities, with the highest severity being 9.8 from CVE-2026-42581 for request smuggling in Netty, and CVE-2026-40976 (7.73) for a Spring Boot security bypass.
The image contains five EXPOSED_SURFACE vulnerabilities with severity >= 7.0, and a total of 8 with severity >= 6.0, presenting a significant attack surface.
Key vulnerabilities, including CVE-2026-42585 (7.5) and CVE-2026-42581 (9.8), allow for request smuggling attacks that can bypass security controls or lead to unauthorized access.
Despite being identified as a reliable, popular community image with 18M+ pulls, the presence of these severe, exploitable flaws warrants a DANGEROUS verdict for production use.

Reputation

RELIABLE

hyness

POPULAR COMMUNITY

High Reputation Community Image (18M+ pulls)
Pinned by digest (Immutable)

BaseImage/

hyness/spring-cloud-config-server:jdk17

Hardened

Grade

A+

Vulns

Verified & secured for production

Vulnerabilities

Vulnerability Log

58 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	CRITICAL9.8	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: HIGH
CVE-2026-40976	HIGH7.73	org.springframework.boot:spring-boot 4.0.5 fixed in 4.0.6	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42585	HIGH7.5	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: HIGH
CVE-2026-42579	HIGH7.28	io.netty:netty-codec-dns 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: MEDIUM
CVE-2026-42584	HIGH7.28	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: MEDIUM
CVE-2026-41417	MEDIUM6.5	io.netty:netty-codec-http 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final	—	Directly ExposedContext importance: HIGH
CVE-2026-42580	MEDIUM6.5	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Directly ExposedContext importance: HIGH
CVE-2026-42578	MEDIUM6	io.netty:netty-handler-proxy 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final	—	Directly ExposedContext importance: MEDIUM
CVE-2026-40973	MEDIUM5.95	org.springframework.boot:spring-boot 4.0.5 fixed in 4.0.6, 3.5.14	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-34487	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.117, 10.1.54, 11.0.21	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22753	MEDIUM5.52	org.springframework.security:spring-security-config 7.0.4 fixed in 7.0.5	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22740	MEDIUM5.52	org.springframework:spring-webflux 7.0.6 fixed in 7.0.7, 6.2.18	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM5.5	com.microsoft.sqlserver:mssql-jdbc 13.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22747	MEDIUM5.5	org.springframework.security:spring-security-web 7.0.4 fixed in 7.0.5	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42198	MEDIUM5.1	org.postgresql:postgresql 42.7.10 fixed in 42.7.11	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22754	MEDIUM5.1	org.springframework.security:spring-security-config 7.0.4 fixed in 7.0.5	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webflux 7.0.6 fixed in 7.0.7, 6.2.18	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 7.0.6 fixed in 7.0.7, 6.2.18	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40542	MEDIUM4.97	org.apache.httpcomponents.client5:httpclient5 5.6 fixed in 5.6.1	0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34483	MEDIUM4.59	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.116, 10.1.54, 11.0.21	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webflux 7.0.6 fixed in 7.0.7, 6.2.18	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 7.0.6 fixed in 7.0.7, 6.2.18	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM4.42	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22751	MEDIUM4.08	org.springframework.security:spring-security-core 7.0.4 fixed in 6.5.10, 7.0.5	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22746	LOW3.15	org.springframework.security:spring-security-core 7.0.4 fixed in 6.5.10, 7.0.5	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5598	LOW2.29	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-33811	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-33814	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39820	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39836	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-33811	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-33814	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39820	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39836	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.12.Final fixed in 4.2.13.Final	—	Not Applicable
CVE-2026-42587	NONE0	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Not Applicable
CVE-2026-42587	NONE0	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	—	Not Applicable
CVE-2026-42582	NONE0	io.netty:netty-codec-http3 4.2.12.Final fixed in 4.2.13.Final	—	Not Applicable
CVE-2026-42577	NONE0	io.netty:netty-transport-native-epoll 4.2.12.Final fixed in 4.2.13.Final	—	Not Applicable
CVE-2026-41293	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	—	Not Applicable
CVE-2026-43512	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	—	Not Applicable
CVE-2026-43515	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	—	Not Applicable
CVE-2026-41284	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	—	Not Applicable
CVE-2026-42498	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	—	Not Applicable
CVE-2026-43513	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	—	Not Applicable
CVE-2026-43514	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	—	Not Applicable
GHSA-2m67-wjpj-xhg9	NONE0	tools.jackson.core:jackson-core 3.1.0 fixed in 3.1.1	—	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39826	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-42499	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39823	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39825	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable
CVE-2026-39826	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	—	Not Applicable