We ran vulnerabilty scan on our application that uses liquibase and a total of 80 critical(30) and high (50) rated CSVV3 vulnerabilities were detected.
The following components were detected as outdated and vulnerable:
jackson-databind
sqlite3 3.23.1
tika
httpcomponents-client
Below are the identified vulnerabilities
More details can be found at NVD - Vulnerabilities
Could someone help shed some light on when these components might get upgraded?
Thanks,
Please follow our SECURITY.md found here:
# Responsible Disclosure Policy
We encourage security researchers and users to share the details of any suspected vulnerabilities with the Liquibase Information Security Team by submitting the relevant information. Liquibase will review the submission to determine if the finding is valid and has not been previously reported. We require submitters to include detailed information with steps for us to reproduce the vulnerability.
## Our Commitment:
If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Liquibase commits to:
* Working with you to understand and validate the issue
* Addressing the risk (if deemed appropriate by Liquibase)
## Noncompliance:
Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Liquibase will deem the submission as noncompliant with this Responsible Disclosure Policy.
In addition, to remain compliant you are prohibited from:
* Accessing, downloading, or modifying data residing in an account that does not belong to you
* Executing or attempting to execute any “Denial of Service” attack
* Posting, transmitting, uploading, linking to, sending, or storing any malicious software
* Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
show original
We will need to understand a few more details, as we also scan on our end before we release and do not release with critical nor high CVEs in the liquibase code.
Thanks,
