CVEs in Liquibase-latest Docker Container

General Discussion
1

Good Morning,

We’re experimenting with Liquibase using your docker hub containers, and Artifactory X-Ray identified a few High Severity vulnerabilities. They all appear to be from outdated Python libraries. I’ll list them below, grouped by package with a couple of related items added

Thanks

CVE Severity Library URL Fix Version Current Latest
CVE-2024-6345 High setuptools:65.5.0 setuptools · PyPI 70.0.0 76.0.0
CVE-2022-40897 Medium setuptools:65.5.0 65.5.1
CVE-2023-43804 High urllib3:1.26.15 urllib3 · PyPI 1.26.17, 2.0.6 2.3.0
CVE-2024-37891 Medium urllib3:1.26.15 1.26.19, 2.2.2
CVE-2023-45803 Medium urllib3:1.26.15 1.26.18, 2.0.7
CVE-2024-4340 High sqlparse:0.4.3 sqlparse · PyPI 0.5.0 0.5.3
CVE-2023-30608 High sqlparse:0.4.3 0.4.4
CVE-2018-20225 High Pip:23.2.1 pip · PyPI ??? 25.0.1
CVE-2023-5752 Low Pip:23.2.1 23.3
.
CVE-2024-45336 unknown github.com/golang/go:1.22.7 1.22.11, 1.23.5, 1.24.0-rc.2 1.24.1
CVE-2024-45341 unknown github.com/golang/go:1.22.7 1.22.11, 1.23.5, 1.24.0-rc.2
CVE-2025-22866 unknown github.com/golang/go:1.22.7 1.22.12, 1.23.6, 1.24.0-rc.3
2

Thanks @wmenton. Can I ask which image and version you are using? The latest release of our Docker Official Image is showing no High severity CVEs.

3

@Pete We’re using liquibase-latest
The container currently cached has this SHA
dad0424a2cf53703567942e1ddf4e4b5e3f890381cc38cd6fd51a2e9053ae89d

Which, now that I’m looking at it, is not actually the latest. We’ll updated on our side. Sorry about the bandwidth

4

Thanks @wmenton. We always appreciate a heads up from the community, especially with CVEs.