Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Command-line: update MySQL driver to 8.0.16 due to CVE-2018-3258 #2426
Which version and edition of Flyway are you using?
If this is not the latest version, can you reproduce the issue with the latest one as well?
Which client are you using? (Command-line, Java API, Maven plugin, Gradle plugin)
Which database are you using (type & version)?
Which operating system are you using?
What did you do?
The following vulnerability has been reported on flywaydb by our Sonatype Nexsus IQ Scanner during an internal security scanning. Please confirm if flywaydb is impacted by this? If yes, can you please update the jar and share a timeline for the same.
If flywaydb is not impacted then please provide your comments on why this is not impacted
Details of the Vulnerability
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Thanks for the heads up! We'll update it to the latest version (8.0.16 or later) before 6.0.0 goes GA. In the meantime, the driver can already easily be upgraded by end users by replacing the bundled version with the latest version from https://search.maven.org/artifact/mysql/mysql-connector-java/8.0.16/jar