CVE-2022-2120Relative Path Traversal in Dcmtk

CWE-23Relative Path TraversalCWE-22Path Traversal6 documents5 sources
Severity
9.8CRITICALNVD
OSV7.5
EPSS
4.6%
top 10.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Offis DcmtkDebian Dcmtk
Timeline
PublishedJun 24
Latest updateFeb 22

Description

OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

CVEListV5offis/dcmtkunspecified3.6.7
NVDoffis/dcmtk< 3.6.7
Debianoffis/dcmtk< 3.6.5-1+deb11u4+3
Ubuntuoffis/dcmtk< 3.6.1~20150924-5ubuntu0.1~esm1+3
debiandebian/dcmtk< dcmtk 3.6.7-6 (bookworm)

🔴Vulnerability Details

3
OSV
dcmtk vulnerabilities2023-02-22
GHSA
GHSA-9hc9-vchg-8p47: OFFIS DCMTK's (All versions prior to 32022-06-25
OSV
CVE-2022-2120: OFFIS DCMTK's (All versions prior to 32022-06-24

📋Vendor Advisories

2
Ubuntu
DCMTK vulnerabilities2023-02-22
Debian
CVE-2022-2120: dcmtk - OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerab...2022
CVE-2022-2120 — Relative Path Traversal in Offis Dcmtk | cvebase