Vulnerability Reportsonatype/nexus3:3.92.3

sonatype/nexus3:3.92.3-alpinesonatype/nexus3:3.92.3

DIGESTsha256:c480a686375bd15a76d9011b7ae263ddffe3897659d183ce88c3a53998453aa2

Executive Summary

Threat ScoreDANGEROUS• 53 exposed vulnerabilities, 4 with severity ≥7 and max severity 8.5• Critical Netty CVEs (CVE-2026-45674, CVE-2026-47691) enable DNS cache poisoning, redirecting artifact downloads• HTTP request smuggling (CVE-2026-42581) can bypass security controls and expose data• TLS denial-of-service (CVE-2026-45416) possible via default SniHandler configuration• Threat score of 100 indicates maximum calculated risk• Verified publisher (sonatype) but vulnerability profile overrides trust

100/100DANGEROUS

ReputationVERIFIED• Verified Publisher (Trusted Vendor)• Pinned by digest (Immutable)

TRUSTED

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit DNS poisoning (CVE-2026-45674) or HTTP request smuggling (CVE-2026-42581) to redirect artifact downloads to malicious servers, bypass authentication, or cause denial of service via memory exhaustion. All critical vulnerabilities are remotely exploitable without special configuration, making immediate remediation or image replacement mandatory.

Vulnerabilities

Vulnerability Log

74 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45674	HIGH8.5	io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-47691	HIGH8.5	io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42579	HIGH7.73	io.netty:netty-codec-dns 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42584	MEDIUM6.18	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42587	MEDIUM5.1	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42587	MEDIUM5.1	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-48043	MEDIUM5.1	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45292	MEDIUM5.1	io.opentelemetry:opentelemetry-api 1.47.0 fixed in 1.62.0	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42198	MEDIUM5.1	org.postgresql:postgresql 42.7.2 fixed in 42.7.11	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-50020	MEDIUM4.5	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-50560	MEDIUM4.5	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-23903	MEDIUM4.5	org.apache.shiro:shiro-spring 1.13.0 fixed in 2.1.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.5.19 fixed in 1.5.25	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42578	LOW3.83	io.netty:netty-handler-proxy 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-kqueue 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	LOW3.21	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45447	LOW2.92	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.6-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.5.6-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-23901	LOW2.12	org.apache.shiro:shiro-core 1.13.0 fixed in 2.1.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW1.89	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW1.81	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW1.81	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW1.81	openssl 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.12.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42577	NONE0	io.netty:netty-transport-native-epoll 4.2.12.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-8149	NONE0	org.bouncycastle:bc-fips 2.1.2 No fix yet	0.2% Theoretical Threat	Not Applicable