Vulnerability Reportzookeeper:latest

Name: zookeeper:3.9.5-jre-17 Security Vulnerability Report
Creator: BaseImage
Keywords: zookeeper:3.9.5-jre-17, Docker security, vulnerability scan, CVE, container security, SBOM

zookeeper:latestzookeeper:3.9.5-jre-17zookeeper:3.9.5zookeeper:3.9-jre-17zookeeper:3.9

DIGESTsha256:e12cace7b5fcfaadf17d6532e83fd8fe71fdf40ab73f22370ccc314bcf7a38b4

Executive Summary

DANGEROUS

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. A remote attacker could exploit vulnerabilities like CVE-2026-42013 to bypass certificate validation, enabling spoofing or man-in-the-middle attacks, or utilize CVE-2026-2332 to smuggle HTTP requests, potentially bypassing security controls and accessing unauthorized resources. The HTTP request smuggling vulnerability (CVE-2026-2332) is particularly concerning given ZooKeeper's potential use of Jetty, especially if the AdminServer is enabled through the ZOO_ADMINSERVER_ENABLED environment variable. The presence of multiple high-severity flaws that directly impact secure communication and service integrity makes this image unsuitable for secure deployments.

Threat Score

75/100

DANGEROUS

Two critical remote vulnerabilities with high contextual importance are present: CVE-2026-42013 (severity 8.2) allows certificate validation bypass, and CVE-2026-2332 (severity 7.73) enables HTTP request smuggling.
CVE-2026-42013 poses a direct risk of spoofing or man-in-the-middle attacks by undermining TLS certificate validation, which is critical for secure communication.
CVE-2026-2332 specifically affects Jetty HTTP/1.1, a component likely used by ZooKeeper's AdminServer, potentially leading to security control bypasses or unauthorized access.
The image has a high number of exposed vulnerabilities (38 total), with 5 having a severity of 6.0 or higher, and a maximum severity of 8.2.
Multiple GnuTLS vulnerabilities (e.g., CVE-2026-42010, CVE-2026-3833) could lead to authentication or policy bypasses depending on specific TLS configurations, further increasing the attack surface.

Reputation

TRUSTED

Docker Official

OFFICIAL

Official Docker Hub Image
Pinned by digest (Immutable)

BaseImage/

zookeeper:latest

Hardened

Grade

A+

Vulns

Verified & secured for production

Vulnerabilities

Vulnerability Log

66 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42013	HIGH8.2	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	—	Directly ExposedContext importance: HIGH
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 9.4.58.v20250814 fixed in 12.1.7, 12.0.33	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42010	MEDIUM6.66	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-3833	MEDIUM6.29	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42011	MEDIUM6.29	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42012	MEDIUM5.68	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	—	Directly ExposedContext importance: MEDIUM
CVE-2026-6238	MEDIUM5.52	libc6 2.35-0ubuntu3.13 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40226	MEDIUM5.44	libsystemd0 249.11-0ubuntu3.20 fixed in 249.11-0ubuntu3.21	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-11226	MEDIUM5.44	ch.qos.logback:logback-core 1.3.15 fixed in 1.5.19, 1.3.16	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-42015	MEDIUM5.3	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	—	Directly Exposed
CVE-2024-6763	MEDIUM5.3	org.eclipse.jetty:jetty-http 9.4.58.v20250814 fixed in 12.0.12	1.0% Low-Moderate Risk	Directly Exposed
CVE-2026-5435	MEDIUM5.02	libc-bin 2.35-0ubuntu3.13 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	libc6 2.35-0ubuntu3.13 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2024-2236	MEDIUM5.02	libgcrypt20 1.9.4-3ubuntu3 No fix yet	0.7% Theoretical Threat	Directly Exposed
CVE-2023-7008	MEDIUM5.02	libsystemd0 249.11-0ubuntu3.20 fixed in 249.11-0ubuntu3.21	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5260	MEDIUM4.92	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	—	Directly Exposed
CVE-2022-27943	MEDIUM4.67	gcc-12-base 12.3.0-1ubuntu1~22.04.3 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-66382	MEDIUM4.67	libexpat1 2.4.7-1ubuntu0.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libgcc-s1 12.3.0-1ubuntu1~22.04.3 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libstdc++6 12.3.0-1ubuntu1~22.04.3 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33845	MEDIUM4.64	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-42009	MEDIUM4.5	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	—	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc-bin 2.35-0ubuntu3.13 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.35-0ubuntu3.13 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-34743	MEDIUM4.5	liblzma5 5.2.5-2ubuntu1 fixed in 5.2.5-2ubuntu1.1	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.3.15 fixed in 1.5.25	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-41989	LOW3.83	libgcrypt20 1.9.4-3ubuntu3 fixed in 1.9.4-3ubuntu3.2	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33846	LOW3.83	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	<0.1% Theoretical Threat	Directly Exposed
CVE-2017-11164	LOW3.83	libpcre3 2:8.39-13ubuntu0.22.04.1 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-3832	LOW3.15	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-45582	LOW2.86	tar 1.34+dfsg-1ubuntu0.1.22.04.2 No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2026-5704	LOW2.8	tar 1.34+dfsg-1ubuntu0.1.22.04.2 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-40228	LOW2.8	libsystemd0 249.11-0ubuntu3.20 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	LOW2.4	bsdutils 1:2.37.2-4ubuntu3.5 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-27456	LOW2.4	mount 2.37.2-4ubuntu3.5 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-27456	LOW2.4	util-linux 2.37.2-4ubuntu3.5 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2022-41409	LOW2.29	libpcre2-8-0 10.39-3ubuntu0.1 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2022-4899	LOW2.29	libzstd1 1.4.8+dfsg-3build1 No fix yet	0.3% Theoretical Threat	Post-Exploit
CVE-2024-56433	LOW2.16	login 1:4.8.1-2ubuntu2.2 No fix yet	4.5% Low-Moderate Risk	Post-Exploit
CVE-2024-56433	LOW2.16	passwd 1:4.8.1-2ubuntu2.2 No fix yet	4.5% Low-Moderate Risk	Post-Exploit
CVE-2026-6238	LOW1.99	libc-bin 2.35-0ubuntu3.13 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2021-31879	LOW1.87	wget 1.21.2-2ubuntu1.1 No fix yet	0.2% Theoretical Threat	Post-Exploit
CVE-2023-29383	LOW1.68	login 1:4.8.1-2ubuntu2.2 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2023-29383	LOW1.68	passwd 1:4.8.1-2ubuntu2.2 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2023-50495	NONE0	libncurses6 6.3-2ubuntu0.1 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2023-50495	NONE0	libncursesw6 6.3-2ubuntu0.1 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2023-50495	NONE0	libtinfo6 6.3-2ubuntu0.1 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-6238	NONE0	locales 2.35-0ubuntu3.13 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2023-50495	NONE0	ncurses-base 6.3-2ubuntu0.1 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2023-50495	NONE0	ncurses-bin 6.3-2ubuntu0.1 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-40226	NONE0	libudev1 249.11-0ubuntu3.20 fixed in 249.11-0ubuntu3.21	<0.1% Theoretical Threat	Not Applicable
CVE-2023-7008	NONE0	libudev1 249.11-0ubuntu3.20 fixed in 249.11-0ubuntu3.21	0.5% Theoretical Threat	Not Applicable
CVE-2026-5435	NONE0	locales 2.35-0ubuntu3.13 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-4046	NONE0	locales 2.35-0ubuntu3.13 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-27456	NONE0	libblkid1 2.37.2-4ubuntu3.5 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-27456	NONE0	libmount1 2.37.2-4ubuntu3.5 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-27456	NONE0	libsmartcols1 2.37.2-4ubuntu3.5 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-27456	NONE0	libuuid1 2.37.2-4ubuntu3.5 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-40228	NONE0	libudev1 249.11-0ubuntu3.20 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42014	NONE0	libgnutls30 3.7.3-4ubuntu1.8 fixed in 3.7.3-4ubuntu1.9	—	Not Applicable
CVE-2026-40930	NONE0	libpng16-16 1.6.37-3ubuntu0.5 No fix yet	—	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.15.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.130.Final fixed in 4.1.133.Final	—	Not Applicable
CVE-2026-44249	NONE0	io.netty:netty-handler 4.1.130.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-45416	NONE0	io.netty:netty-handler 4.1.130.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable
CVE-2026-45536	NONE0	io.netty:netty-transport-native-epoll 4.1.130.Final fixed in 4.2.15.Final, 4.1.135.Final	—	Not Applicable