Options

json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370

AlexSchwartzAlexSchwartz Posts: 3 New member
in Flyway (General Discussion)
json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370: https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748

When can we expect a newer version of flyway-commandline-9.16.3 released which includes the fix for json-smart? Preferably with json-smart 2.4.10:

NOTE: Although this vulnerability was fixed in version 2.4.9 the maintainer recommends upgrading to 2.4.10, due to a remaining bug. 

Thanks,
Alex
Tagged:
· Share on Twitter

Best Answer

  • Options
    Jon_KirkwoodJon_Kirkwood Posts: 340 Silver 4
    Answer ✓
    @AlexSchwartz

    Thank you for your patience whilst the development team worked on this one.

     I can advise that json-smart v2.4.10 is now packaged with Flyway CLI v9.17.0

     

    Downloads for this version can be accessed here:

    https://download.red-gate.com/maven/release/org/flywaydb/enterprise/flyway-commandline/9.17.0

     

    Automated CI/CD pipelines using latest version should start accessing this version normally and manually defined pipelines may need to be updated to resolve this vulnerability.

     

    Flyway Desktop has not yet had an update to the Flyway CLI engine and we are anticipating an update to be made available shortly to bring both CLI & GUI versions of Flyway into line.

    Jon Kirkwood | Technical Support Engineer | Redgate Software
    · Share on Twitter

Answers

  • Options
    Jon_KirkwoodJon_Kirkwood Posts: 340 Silver 4
    Hi @AlexSchwartz

    Thank you for reaching out on the Redgate forums, I have not been aware of this vulnerability and will escalate this within our development team for their visibility and advisement on impact & resolution.

    Will update this post with confirmation of a version release that resolves the vulnerability or any other steps that may need to be taken.
    Jon Kirkwood | Technical Support Engineer | Redgate Software
    · Share on Twitter
  • Options
    Jon_KirkwoodJon_Kirkwood Posts: 340 Silver 4
    I have received confirmation overnight that the development team have a fix underway for this vulnerability report.

    My next post should be confirming the release version that resolves this.
    Jon Kirkwood | Technical Support Engineer | Redgate Software
    · Share on Twitter
  • Options
    SophieNSophieN Posts: 1 New member
    Using docker image redgate/flyway:latest I get below warning. I suppose it is linked to the reported vulnerability.

    WARNING: This version of Flyway is out of date. Upgrade to Flyway 9.16.3: https://rd.gt/3rXiSlV
    <div>Flyway Community Edition 9.16.1 by Redgate</div><div></div><span>See release notes here: <a rel="nofollow" href="https://rd.gt/416ObMi" title="Link: https://rd.gt/416ObMi">https://rd.gt/416ObMi</a></span>


    · Share on Twitter
  • Options
    AlexSchwartzAlexSchwartz Posts: 3 New member
    Hi @Jon_Kirkwood,

    Thanks for looking into this. Any updates from the development team on when a new version will be available?

    Alex
    · Share on Twitter
  • Options
    AlexSchwartzAlexSchwartz Posts: 3 New member
    @Jon_Kirkwood Great! Thank you
    · Share on Twitter

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Format
SpoilerCodeQuote
Heading 2Heading 1
Emoji
:):D;):\:/:o:s:p:'-(:|:-|B)o:)<38-)=)>_<:3:{/\:(`,`:‑J*|*<|>=}:[]:$B^D8D:‑D:O:'(>:O;‑]%‑);^)=p(~)=]xx:]
Url
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file
Home Flyway (General Discussion)Comment As ...