json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370

json-smart in Flyway 9.16.3 is vulnerable to CVE-2023-1370: https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748

When can we expect a newer version of flyway-commandline-9.16.3 released which includes the fix for json-smart? Preferably with json-smart 2.4.10:

NOTE: Although this vulnerability was fixed in version 2.4.9 the maintainer recommends upgrading to 2.4.10, due to a remaining bug. 

Thanks,
Alex

Best Answer

  • Jon_KirkwoodJon_Kirkwood Posts: 438 Gold 1
    Answer ✓
    @AlexSchwartz

    Thank you for your patience whilst the development team worked on this one.

     I can advise that json-smart v2.4.10 is now packaged with Flyway CLI v9.17.0

     

    Downloads for this version can be accessed here:

    https://download.red-gate.com/maven/release/org/flywaydb/enterprise/flyway-commandline/9.17.0

     

    Automated CI/CD pipelines using latest version should start accessing this version normally and manually defined pipelines may need to be updated to resolve this vulnerability.

     

    Flyway Desktop has not yet had an update to the Flyway CLI engine and we are anticipating an update to be made available shortly to bring both CLI & GUI versions of Flyway into line.

    Jon Kirkwood | Technical Support Engineer | Redgate Software

Answers

  • Hi @AlexSchwartz

    Thank you for reaching out on the Redgate forums, I have not been aware of this vulnerability and will escalate this within our development team for their visibility and advisement on impact & resolution.

    Will update this post with confirmation of a version release that resolves the vulnerability or any other steps that may need to be taken.
    Jon Kirkwood | Technical Support Engineer | Redgate Software
  • I have received confirmation overnight that the development team have a fix underway for this vulnerability report.

    My next post should be confirming the release version that resolves this.
    Jon Kirkwood | Technical Support Engineer | Redgate Software
  • SophieNSophieN Posts: 1 New member
    Using docker image redgate/flyway:latest I get below warning. I suppose it is linked to the reported vulnerability.

    WARNING: This version of Flyway is out of date. Upgrade to Flyway 9.16.3: https://rd.gt/3rXiSlV
    <div>Flyway Community Edition 9.16.1 by Redgate</div><div></div><span>See release notes here: <a rel="nofollow" href="https://rd.gt/416ObMi" title="Link: https://rd.gt/416ObMi">https://rd.gt/416ObMi</a></span>


  • AlexSchwartzAlexSchwartz Posts: 3 New member
    Hi @Jon_Kirkwood,

    Thanks for looking into this. Any updates from the development team on when a new version will be available?

    Alex
  • AlexSchwartzAlexSchwartz Posts: 3 New member
    @Jon_Kirkwood Great! Thank you
  • sympathizetracksympathizetrack Posts: 2 New member
    SophieN said:
    Using docker image redgate/flyway:latest I get below warning. I suppose it is linked to the reported vulnerability.

    WARNING: This version of Flyway is out of date. Upgrade to Flyway 9.16.3: https://rd.gt/3rXiSlV 
    <div>Flyway Community Edition 9.16.1 by Redgate</div><div></div>See release notes here: <a rel="nofollow" href="https://rd.gt/416ObMi" title="Link: https://rd.gt/416ObMi">https://rd.gt/416ObMi</a>&nbsp;<a href="https://geometry-lite.io" title="Link: https://geometry-lite.io">geometry dash lite</a>


    Thanks SophieN that's worked. 

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file