Liquibase has got serious vulnerability. It should be updated to the latest version.

https://nvd.nist.gov/vuln/detail/CVE-2022-0839 

The latest version of Liquibase is 4.9.1. Currently we use a version of 4.4.2 in which we have removed proprietary code which needs a pro liquibase license to be used. An investigation has been done into 4.9.1 to see if it contains the same issue. This clip from a Liquibase Q&A confirms this is the case. Therefore we will need to host a 4.9.1 version of Liquibase similar to what we did with 4.4.2.

From discussion with Liquibase: The Liquibase community version which is downloadable from their website can be used and does not have proprietary code. Liquibase are working on splitting community and pro in the maven version. We have opted to wait until the maven community version of Liquibase has come out and have been given a time frame of 4-6 weeks.

Update 24th May:
Split is in review stage and have been given an estimate of Mid-Late June