[SECURITY] Mirth Connect 4.1.1.b303 vulnerable to CVE-2022-2191 #5440
Labels
Comments
|
Curious, did you in fact confirm Mirth as built / configured is vulnerable to this or was this issue a byproduct of a security scan that identified the jetty version and flagged the CVE? |
It just occurred along other issues on an eclipse security report. there were actually a few more which I was able to resolve by exchanging the current Jetty 9.4.X with the latest release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the security issue
CVE-2022-2191: SslConnection does not release ByteBuffers in case of error code paths. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked.
Vulnerability Location
Mirth Connect\server-lib\jetty
Environment (please complete the following information if it is applicable to the issue)
Suggested remediation
VendorFix: Update to version 10.0.10, 11.0.10 or later.
Additional context
GHSA-8mpp-f3f7-xc28
The text was updated successfully, but these errors were encountered: