cbcvebase.
CVE-2023-33466
published 2023-06-29

CVE-2023-33466: Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.15%
89.6th percentile
Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).

Affected

6 ranges
VendorProductVersion rangeFixed in
debianorthanc< orthanc 1.10.1+dfsg-2+deb12u1 (bookworm)orthanc 1.10.1+dfsg-2+deb12u1 (bookworm)
orthanc-serverorthanc< 1.12.01.12.0
orthanc-serverorthanc>= 0 < 1.9.2+really1.9.1+dfsg-1+deb11u11.9.2+really1.9.1+dfsg-1+deb11u1
orthanc-serverorthanc>= 0 < 1.10.1+dfsg-2+deb12u11.10.1+dfsg-2+deb12u1
orthanc-serverorthanc>= 0 < 1.12.1+dfsg-11.12.1+dfsg-1
orthanc-serverorthanc>= 0 < 1.12.1+dfsg-11.12.1+dfsg-1

Detection & IOCsextracted from sources · hover to see the quote

  • Target application is Orthanc versions before 1.12.0; detect exploitation attempts via authenticated API calls that write or overwrite files on the filesystem, particularly configuration files
  • Monitor for unexpected modifications to Orthanc configuration files on the filesystem, which may indicate an attacker staging for RCE via configuration overwrite
  • ·Exploitation requires authenticated access to the Orthanc API; deployments exposing the API without strong authentication controls are at highest risk
  • ·RCE is only achievable in specific deployment scenarios where the attacker can overwrite the Orthanc configuration file and trigger a reload or restart
  • ·Debian scopes this as 'local'; fixed versions are 1.10.1+dfsg-2+deb12u1 (bookworm), 1.9.2+really1.9.1+dfsg-1+deb11u1 (bullseye), and 1.12.1+dfsg-1 (sid/trixie/forky)

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.