Upstream information
CVE-2022-2120 at MITRE
Description
OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.
Overall state of this security issue: Resolved
This issue is currently rated as having critical severity.
CVSS v2 Scores
| National Vulnerability Database |
Base Score | 7.5 |
Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Access Vector | Network |
Access Complexity | Low |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | Partial |
Availability Impact | Partial |
CVSS v3 Scores
| National Vulnerability Database |
Base Score | 9.8 |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality Impact | High |
Integrity Impact | High |
Availability Impact | High |
CVSSv3 Version | 3.1 |
SUSE Bugzilla entry:
1208638 [RESOLVED / FIXED]
SUSE Security Advisories:
List of released packages
Product(s) | Fixed package version(s) | References |
SUSE Package Hub 15 SP3 | gdcm >= 3.0.19-bp153.2.8.1
gdcm-applications >= 3.0.19-bp153.2.8.1
gdcm-devel >= 3.0.19-bp153.2.8.1
gdcm-examples >= 3.0.19-bp153.2.8.1
libgdcm3_0 >= 3.0.19-bp153.2.8.1
libsocketxx1_2 >= 3.0.19-bp153.2.8.1
orthanc >= 1.11.2-bp153.2.13.1
orthanc-devel >= 1.11.2-bp153.2.13.1
orthanc-doc >= 1.11.2-bp153.2.13.1
orthanc-gdcm >= 1.5-bp153.2.6.1
orthanc-source >= 1.11.2-bp153.2.13.1
orthanc-webviewer >= 2.8-bp153.2.3.1
python3-gdcm >= 3.0.19-bp153.2.8.1
| Patchnames: openSUSE-2022-10144 |
SUSE Package Hub 15 SP4 | dcmtk >= 3.6.7-bp154.2.3.1
dcmtk-devel >= 3.6.7-bp154.2.3.1
gdcm >= 3.0.19-bp154.2.5.1
gdcm-applications >= 3.0.19-bp154.2.5.1
gdcm-devel >= 3.0.19-bp154.2.5.1
gdcm-examples >= 3.0.19-bp154.2.5.1
libdcmtk17 >= 3.6.7-bp154.2.3.1
libgdcm3_0 >= 3.0.19-bp154.2.5.1
libsocketxx1_2 >= 3.0.19-bp154.2.5.1
orthanc >= 1.11.2-bp154.2.3.1
orthanc-devel >= 1.11.2-bp154.2.3.1
orthanc-doc >= 1.11.2-bp154.2.3.1
orthanc-gdcm >= 1.5-bp154.2.3.1
orthanc-source >= 1.11.2-bp154.2.3.1
orthanc-webviewer >= 2.8-bp154.2.3.1
python3-gdcm >= 3.0.19-bp154.2.5.1
| Patchnames: openSUSE-2022-10145 openSUSE-2023-108 |
openSUSE Leap 15.3 | gdcm >= 3.0.19-bp153.2.8.1
gdcm-applications >= 3.0.19-bp153.2.8.1
gdcm-devel >= 3.0.19-bp153.2.8.1
gdcm-examples >= 3.0.19-bp153.2.8.1
libgdcm3_0 >= 3.0.19-bp153.2.8.1
libsocketxx1_2 >= 3.0.19-bp153.2.8.1
orthanc >= 1.11.2-bp153.2.13.1
orthanc-devel >= 1.11.2-bp153.2.13.1
orthanc-doc >= 1.11.2-bp153.2.13.1
orthanc-gdcm >= 1.5-bp153.2.6.1
orthanc-source >= 1.11.2-bp153.2.13.1
orthanc-webviewer >= 2.8-bp153.2.3.1
python3-gdcm >= 3.0.19-bp153.2.8.1
| Patchnames: openSUSE-2022-10144 |
openSUSE Leap 15.4 | dcmtk >= 3.6.7-bp154.2.3.1
dcmtk-devel >= 3.6.7-bp154.2.3.1
gdcm >= 3.0.19-bp154.2.5.1
gdcm-applications >= 3.0.19-bp154.2.5.1
gdcm-devel >= 3.0.19-bp154.2.5.1
gdcm-examples >= 3.0.19-bp154.2.5.1
libdcmtk17 >= 3.6.7-bp154.2.3.1
libgdcm3_0 >= 3.0.19-bp154.2.5.1
libsocketxx1_2 >= 3.0.19-bp154.2.5.1
orthanc >= 1.11.2-bp154.2.3.1
orthanc-devel >= 1.11.2-bp154.2.3.1
orthanc-doc >= 1.11.2-bp154.2.3.1
orthanc-gdcm >= 1.5-bp154.2.3.1
orthanc-source >= 1.11.2-bp154.2.3.1
orthanc-webviewer >= 2.8-bp154.2.3.1
python3-gdcm >= 3.0.19-bp154.2.5.1
| Patchnames: openSUSE-2022-10145 openSUSE-2023-108 |
SUSE Timeline for this CVE
CVE page created: Fri Jun 24 20:00:20 2022
CVE page last modified: Tue May 23 18:18:01 2023