CVE-2020-36855Improper Restriction of Operations within the Bounds of a Memory Buffer in Dcmtk

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-121Stack-based Buffer Overflow4 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 91.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Offis DcmtkDebian Dcmtk
Timeline
PublishedOct 21

Description

A security vulnerability has been detected in DCMTK up to 3.6.5. The affected element is the function parseQuota of the component dcmqrscp. The manipulation of the argument StorageQuota leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Upgrading to version 3.6.6 is sufficient to fix this issue. The identifier of the patch is 0fef9f02e. It is recommended to upgrade the affected component.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages4 packages

NVDoffis/dcmtk< 3.6.6
debiandebian/dcmtk< dcmtk 3.6.6-1 (bookworm)
Debianoffis/dcmtk< 3.6.5-1+deb11u5+3
CVEListV5offis/dcmtk6 versions+5

🔴Vulnerability Details

2
OSV
CVE-2020-36855: A security vulnerability has been detected in DCMTK up to 32025-10-21
GHSA
GHSA-7w2m-w84v-g952: A security vulnerability has been detected in DCMTK up to 32025-10-21

📋Vendor Advisories

1
Debian
CVE-2020-36855: dcmtk - A security vulnerability has been detected in DCMTK up to 3.6.5. The affected el...2020
CVE-2020-36855 — Offis Dcmtk vulnerability | cvebase