How can we help you today? How can we help you today?

json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370

json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370: https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748

When can we expect a newer version of flyway-commandline-9.16.3 released which includes the fix for json-smart? Preferably with json-smart 2.4.10:

NOTE: Although this vulnerability was fixed in version 2.4.9 the maintainer recommends upgrading to 2.4.10, due to a remaining bug. 

Thanks,
Alex
AlexSchwartz
0

Comments

7 comments

Sort by
  • Jon_Kirkwood
    Hi @AlexSchwartz

    Thank you for reaching out on the Redgate forums, I have not been aware of this vulnerability and will escalate this within our development team for their visibility and advisement on impact & resolution.

    Will update this post with confirmation of a version release that resolves the vulnerability or any other steps that may need to be taken.
    Jon_Kirkwood
    0
  • Jon_Kirkwood
    I have received confirmation overnight that the development team have a fix underway for this vulnerability report.

    My next post should be confirming the release version that resolves this.
    Jon_Kirkwood
    0
  • SophieN
    Using docker image redgate/flyway:latest I get below warning. I suppose it is linked to the reported vulnerability.

    WARNING: This version of Flyway is out of date. Upgrade to Flyway 9.16.3: https://rd.gt/3rXiSlV
    <div>Flyway Community Edition 9.16.1 by Redgate</div><div></div><span>See release notes here: <a rel="nofollow" href="https://rd.gt/416ObMi" title="Link: https://rd.gt/416ObMi">https://rd.gt/416ObMi</a></span>


    SophieN
    0
  • AlexSchwartz
    Hi @Jon_Kirkwood,

    Thanks for looking into this. Any updates from the development team on when a new version will be available?

    Alex
    AlexSchwartz
    0
  • Jon_Kirkwood
    @AlexSchwartz

    Thank you for your patience whilst the development team worked on this one.

     I can advise that json-smart v2.4.10 is now packaged with Flyway CLI v9.17.0

     

    Downloads for this version can be accessed here:

    https://download.red-gate.com/maven/release/org/flywaydb/enterprise/flyway-commandline/9.17.0

     

    Automated CI/CD pipelines using latest version should start accessing this version normally and manually defined pipelines may need to be updated to resolve this vulnerability.

     

    Flyway Desktop has not yet had an update to the Flyway CLI engine and we are anticipating an update to be made available shortly to bring both CLI & GUI versions of Flyway into line.

    Jon_Kirkwood
    0
  • AlexSchwartz
    @Jon_Kirkwood Great! Thank you
    AlexSchwartz
    0
  • sympathizetrack
    SophieN said:
    Using docker image redgate/flyway:latest I get below warning. I suppose it is linked to the reported vulnerability.

    WARNING: This version of Flyway is out of date. Upgrade to Flyway 9.16.3: https://rd.gt/3rXiSlV 
    <div>Flyway Community Edition 9.16.1 by Redgate</div><div></div>See release notes here: <a rel="nofollow" href="https://rd.gt/416ObMi" title="Link: https://rd.gt/416ObMi">https://rd.gt/416ObMi</a>&nbsp;<a href="https://geometry-lite.io" title="Link: https://geometry-lite.io">geometry dash lite</a>


    Thanks SophieN that's worked.
    sympathizetrack
    0

Add comment

Please sign in to leave a comment.