This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could achieve arbitrary code execution on the build server if Maven processes a malicious archive from a compromised repository. Restricting Maven to use only trusted repositories and disabling automatic extraction of untrusted archives would fully eliminate this risk. Note that the vulnerability is applicable by default in Maven's normal operation and does not require special configuration to trigger.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2025-67030 | HIGH7.48 | org.codehaus.plexus:plexus-utils 4.0.2 fixed in 4.0.3, 3.6.1 | 0.7% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-48863 | LOW2.7 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | — | Post-Exploit |
| CVE-2026-48864 | LOW2.39 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-9149 | LOW1.99 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-9150 | LOW1.99 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-6019 | LOW1.87 | python3 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-6019 | LOW1.87 | python3-libs 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6 | 0.2% Theoretical Threat | Post-Exploit |