Liquibase - 5 CVEs (Page 1/1)

About “Liquibase”

A curated feed of “Liquibase”-related CVEs appears below. We currently track 5 CVEs for this tag (all time). In the last 365 days, 0 were published. Average CVSS is 7.1 (all time), and 60% are rated High/Critical (all time). Top CWEs (all time): CWE-611 - Improper Restriction of XML External Entity Reference, CWE-862 - Missing Authorization, CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In our taxonomy this topic maps to a LOW impact class. Developer and CI or CD tooling touches supply chains and secrets. Patch controllers and agents, enforce SSO or MFA, rotate tokens, isolate runners, and audit plugins. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: liquibase

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	EOL
4.32	2025-05-21	4.32.0	-
4.31	2025-01-16	4.31.1	2025-05-21 Expired
4.30	2024-11-05	4.30.0	2025-01-16 Expired
4.29	2024-07-25	4.29.2	2025-01-06 Expired
4.28	2024-05-21	4.28.0	2024-07-25 Expired
4.27	2024-03-27	4.27.0	2024-05-21 Expired
4.26	2024-02-07	4.26.0	2024-03-27 Expired
4.25	2023-11-13	4.25.1	2024-02-07 Expired
4.24	2023-10-03	4.24.0	2023-11-13 Expired
4.23	2023-06-26	4.23.2	2023-10-03 Expired
4.22	2023-05-11	4.22.0	2023-06-26 Expired
4.21	2023-04-12	4.21.1	2023-05-19 Expired
4.20	2023-03-08	4.20.0	2023-04-13 Expired
4.19	2023-01-17	4.19.1	2023-03-08 Expired
4.18	2022-12-06	4.18.0	2023-01-17 Expired
4.17	2022-10-10	4.17.2	2022-12-06 Expired
4.16	2022-09-09	4.16.1	2022-10-10 Expired
4.15	2022-08-05	4.15.0	2022-09-09 Expired
4.14	2022-07-25	4.14.0	2022-08-05 Expired
4.13	2022-07-11	4.13.0	2022-07-25 Expired
4.12	2022-06-17	4.12.0	2022-07-11 Expired
4.11	2022-05-24	4.11.0	2022-06-17 Expired
4.10	2022-05-05	4.10.0	2022-05-24 Expired
4.9	2022-03-17	4.9.1	2022-05-05 Expired
4.8	2022-02-22	4.8.0	2022-03-17 Expired
4.7	2022-01-10	4.7.1	2022-02-22 Expired
4.6	2021-11-04	4.6.2	2022-01-10 Expired
4.5	2021-09-27	4.5.0	2021-11-04 Expired
4.4	2021-06-09	4.4.3	2021-09-27 Expired
4.3	2021-02-09	4.3.5	2021-06-10 Expired
4.2	2020-11-13	4.2.2	2021-02-09 Expired
4.1	2020-09-28	4.1.1	2020-11-13 Expired
4.0	2020-07-13	4.0.0	2020-09-28 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS (expired) · ICS

Subscribe CVEs: RSS for “Liquibase” · RSS (High+Critical only)

2022-03-04

Critical

CVE-2022-0839

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

CVSS: 9.8 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD

2020-09-23

Medium

CVE-2020-2285

A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD

High

CVE-2020-2284

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVSS: 7.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD

Medium

CVE-2020-2283

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control changeset fil…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2018-04-05

High

CVE-2018-1000146

An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the…

CVSS: 8.8 CWE: N/A View on NVD