-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY] Mirth Connect 4.1.1.b303 vulnerable to CVE-2022-2191 #5440
Comments
Curious, did you in fact confirm Mirth as built / configured is vulnerable to this or was this issue a byproduct of a security scan that identified the jetty version and flagged the CVE? |
It just occurred along other issues on an eclipse security report. there were actually a few more which I was able to resolve by exchanging the current Jetty 9.4.X with the latest release. |
Describe the security issue
CVE-2022-2191: SslConnection does not release ByteBuffers in case of error code paths. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked.
Vulnerability Location
Mirth Connect\server-lib\jetty
Environment (please complete the following information if it is applicable to the issue)
Suggested remediation
VendorFix: Update to version 10.0.10, 11.0.10 or later.
Additional context
GHSA-8mpp-f3f7-xc28
The text was updated successfully, but these errors were encountered: