json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370

AlexSchwartz · April 17, 2023 5:25PM

json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370: https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748

When can we expect a newer version of flyway-commandline-9.16.3 released which includes the fix for json-smart? Preferably with json-smart 2.4.10:

NOTE: Although this vulnerability was fixed in version 2.4.9 the maintainer recommends upgrading to 2.4.10, due to a remaining bug.

Thanks,
Alex

Jon_Kirkwood · May 3, 2023 3:51AM

@AlexSchwartz

Thank you for your patience whilst the development team worked on this one.

I can advise that json-smart v2.4.10 is now packaged with Flyway CLI v9.17.0

Downloads for this version can be accessed here:

https://download.red-gate.com/maven/release/org/flywaydb/enterprise/flyway-commandline/9.17.0

Automated CI/CD pipelines using latest version should start accessing this version normally and manually defined pipelines may need to be updated to resolve this vulnerability.

Flyway Desktop has not yet had an update to the Flyway CLI engine and we are anticipating an update to be made available shortly to bring both CLI & GUI versions of Flyway into line.

Jon_Kirkwood · April 19, 2023 4:27AM

Hi @AlexSchwartz

Thank you for reaching out on the Redgate forums, I have not been aware of this vulnerability and will escalate this within our development team for their visibility and advisement on impact & resolution.

Will update this post with confirmation of a version release that resolves the vulnerability or any other steps that may need to be taken.

Jon_Kirkwood · April 20, 2023 12:32AM

I have received confirmation overnight that the development team have a fix underway for this vulnerability report.

My next post should be confirming the release version that resolves this.

SophieN · April 24, 2023 8:07AM

Using docker image redgate/flyway:latest I get below warning. I suppose it is linked to the reported vulnerability.

WARNING: This version of Flyway is out of date. Upgrade to Flyway 9.16.3: https://rd.gt/3rXiSlV

<div>Flyway Community Edition 9.16.1 by Redgate</div><div></div>

<span>See release notes here: <a rel="nofollow" href="https://rd.gt/416ObMi" title="Link: https://rd.gt/416ObMi">https://rd.gt/416ObMi</a></span>

AlexSchwartz · April 24, 2023 4:08PM

Hi @Jon_Kirkwood,

Thanks for looking into this. Any updates from the development team on when a new version will be available?

Alex

AlexSchwartz · May 3, 2023 4:25PM

@Jon_Kirkwood Great! Thank you

sympathizetrack · July 8, 2024 7:42AM

SophieN said:

Using docker image redgate/flyway:latest I get below warning. I suppose it is linked to the reported vulnerability.

WARNING: This version of Flyway is out of date. Upgrade to Flyway 9.16.3: https://rd.gt/3rXiSlV
<div>Flyway Community Edition 9.16.1 by Redgate</div><div></div>See release notes here: <a rel="nofollow" href="https://rd.gt/416ObMi" title="Link: https://rd.gt/416ObMi">https://rd.gt/416ObMi</a> <a href="https://geometry-lite.io" title="Link: https://geometry-lite.io">geometry dash lite</a>

Thanks SophieN that's worked.

json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370

Best Answer

Answers

Leave a Comment

Product Learning

Community Forums

Events & Friends

Simple Talk