json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370
When can we expect a newer version of flyway-commandline-9.16.3 released which includes the fix for json-smart? Preferably with json-smart 2.4.10:
NOTE: Although this vulnerability was fixed in version 2.4.9 the maintainer recommends upgrading to 2.4.10, due to a remaining bug.
Thanks,
Alex
Best Answer
-
Jon_Kirkwood Posts: 438 Gold 1@AlexSchwartz
Thank you for your patience whilst the development team worked on this one.
I can advise that json-smart v2.4.10 is now packaged with Flyway CLI v9.17.0
Downloads for this version can be accessed here:
https://download.red-gate.com/maven/release/org/flywaydb/enterprise/flyway-commandline/9.17.0
Automated CI/CD pipelines using latest version should start accessing this version normally and manually defined pipelines may need to be updated to resolve this vulnerability.
Flyway Desktop has not yet had an update to the Flyway CLI engine and we are anticipating an update to be made available shortly to bring both CLI & GUI versions of Flyway into line.
Jon Kirkwood | Technical Support Engineer | Redgate Software
Answers
Thank you for reaching out on the Redgate forums, I have not been aware of this vulnerability and will escalate this within our development team for their visibility and advisement on impact & resolution.
Will update this post with confirmation of a version release that resolves the vulnerability or any other steps that may need to be taken.
My next post should be confirming the release version that resolves this.
<div>Flyway Community Edition 9.16.1 by Redgate</div><div></div>
<span>See release notes here: <a rel="nofollow" href="https://rd.gt/416ObMi" title="Link: https://rd.gt/416ObMi">https://rd.gt/416ObMi</a></span>
Thanks for looking into this. Any updates from the development team on when a new version will be available?
Alex