CVE-2019-1010228Out-of-bounds Write in Dcmtk

CWE-787Out-of-bounds WriteCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer8 documents6 sources
Severity
9.8CRITICALNVD
OSV7.5
EPSS
0.6%
top 30.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Offis DcmtkDebian DcmtkOffis.de Dcmtk+1 more
Timeline
PublishedJul 22
Latest updateFeb 22

Description

OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. The impact is: Possible code execution and confirmed Denial of Service. The component is: DcmRLEDecoder::decompress() (file dcrledec.h, line 122). The attack vector is: Many scenarios of DICOM file processing (e.g. DICOM to image conversion). The fixed version is: 3.6.4, after commit 40917614e.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

Debianoffis/dcmtk< 3.6.4-1+3
Ubuntuoffis/dcmtk< 3.6.1~20150924-5ubuntu0.1~esm1+3
NVDoffis/dcmtk3.6.3
CVEListV5offis.de/dcmtk3.6.3 and below [fixed: 3.6.4, after commit 40917614e]
debiandebian/dcmtk< dcmtk 3.6.4-1 (bookworm)

Also affects: Fedora 29, 30

🔴Vulnerability Details

3
OSV
dcmtk vulnerabilities2023-02-22
GHSA
GHSA-pqj4-82hx-mp43: OFFIS2022-05-24
OSV
CVE-2019-1010228: OFFIS2019-07-22

📋Vendor Advisories

2
Ubuntu
DCMTK vulnerabilities2023-02-22
Debian
CVE-2019-1010228: dcmtk - OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. The impact is: P...2019

💬Community

2
Bugzilla
CVE-2019-1010228 DCMTK: buffer overflow in DcmRLEDecoder::decompress() leads to possible code execution and denial of service2019-07-23
Bugzilla
CVE-2019-1010228 dcmtk: buffer overflow in DcmRLEDecoder::decompress() leads to possible code execution and denial of service [fedora-all]2019-07-23
CVE-2019-1010228 — Out-of-bounds Write in Debian Dcmtk | cvebase