CVE-2022-2119 — Path Traversal in Dcmtk

CWE-22 — Path Traversal6 documents5 sources

Severity

9.8CRITICALNVD

OSV7.5

EPSS

4.6%

top 10.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Offis Dcmtk Debian Dcmtk

Timeline

PublishedJun 24

Latest updateFeb 22

Description

OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5offis/dcmtkunspecified — 3.6.7

▶NVDoffis/dcmtk< 3.6.7

▶Debianoffis/dcmtk< 3.6.5-1+deb11u4+3

▶Ubuntuoffis/dcmtk< 3.6.1~20150924-5ubuntu0.1~esm1+3

▶debiandebian/dcmtk< dcmtk 3.6.7-6 (bookworm)

🔴Vulnerability Details

OSV

dcmtk vulnerabilities↗2023-02-22

▶

GHSA

GHSA-5pjf-38m2-65rx: OFFIS DCMTK's (All versions prior to 3↗2022-06-25

▶

OSV

CVE-2022-2119: OFFIS DCMTK's (All versions prior to 3↗2022-06-24

▶

📋Vendor Advisories

Ubuntu

DCMTK vulnerabilities↗2023-02-22

▶

Debian

CVE-2022-2119: dcmtk - OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vuln...↗2022

▶