Describe the security issue
Mirth Connect uses the XStream library to serialize and deserialize objects. It is a potential security risk to allow unexpected object types to be processed through XStream. Therefore we are now being more restrictive about what types are allowed by using an allowlist instead of a denylist. The only types allowed are those that are strictly necessary for Mirth Connect to operate.
Vulnerability Location
This vulnerability exists in the XStream library or how we use the XStream library.
Environment (please complete the following information if it is applicable to the issue)
Describe the security issue Mirth Connect uses the XStream library to serialize and deserialize objects. It is a potential security risk to allow unexpected object types to be processed through XStream. Therefore we are now being more restrictive about what types are allowed by using an allowlist instead of a denylist. The only types allowed are those that are strictly necessary for Mirth Connect to operate.
Vulnerability Location This vulnerability exists in the XStream library or how we use the XStream library.
Environment (please complete the following information if it is applicable to the issue)
Suggested remediation Switch to using an allowlist which would make the accepted types more restrictive.
Additional context n/a