CVE-2022-2120

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-2120

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2120.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-2120

Related

Published

2022-06-24T15:15:10Z

Modified

2024-10-12T08:55:36.351033Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.

References

Affected packages

Debian:11 / dcmtk

Package

Name: dcmtk
Purl: pkg:deb/debian/dcmtk?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.6.5-1

3.6.6-1~ext1

3.6.6-1

3.6.6-2

3.6.6-3

3.6.6-4~bpo11+1

3.6.6-4

3.6.6-5~bpo11+1

3.6.6-5

3.6.7-1

3.6.7-2

3.6.7-3

3.6.7-4

3.6.7-5

3.6.7-6~bpo11+1

3.6.7-6

3.6.7-7

3.6.7-8

3.6.7-9~deb12u1

3.6.7-9

3.6.7-9.1

3.6.7-11

3.6.7-12

3.6.7-13

3.6.7-14

3.6.7-15

3.6.8~git20221024.b8950f9-1

3.6.8~git20221024.b8950f9-2

3.6.8~git20221024.b8950f9-3

3.6.8~git20231027.1549d8c-1

3.6.8~git20231027.1549d8c-2

3.6.8-1

3.6.8-2

3.6.8-3

3.6.8-4

3.6.8-5

3.6.8-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / dcmtk

Package

Name: dcmtk
Purl: pkg:deb/debian/dcmtk?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.7-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / dcmtk

Package

Name: dcmtk
Purl: pkg:deb/debian/dcmtk?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.7-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/dcmtk/dcmtk

Affected ranges

Type: GIT
Repo: https://github.com/dcmtk/dcmtk
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a137f1aff4e1df3fbefe53ee8b160973c74c96dd

Affected versions

CAR96-3.*

CAR96-3.0.1

CAR96-3.0.2

DCMTK-3.*

DCMTK-3.1.0

DCMTK-3.1.1

DCMTK-3.1.2

DCMTK-3.2.0

DCMTK-3.2.1

DCMTK-3.3.0

DCMTK-3.3.1

DCMTK-3.4.0

DCMTK-3.4.1

DCMTK-3.4.2

DCMTK-3.5.0

DCMTK-3.5.1

DCMTK-3.5.2

DCMTK-3.5.2a

DCMTK-3.5.3

DCMTK-3.5.4

DCMTK-3.6.0

DCMTK-3.6.1_20110225

DCMTK-3.6.1_20110519

DCMTK-3.6.1_20110707

DCMTK-3.6.1_20110922

DCMTK-3.6.1_20111208

DCMTK-3.6.1_20120222

DCMTK-3.6.1_20120515

DCMTK-3.6.1_20120831

DCMTK-3.6.1_20121102

DCMTK-3.6.1_20131114

DCMTK-3.6.1_20140617

DCMTK-3.6.1_20150217

DCMTK-3.6.1_20150629

DCMTK-3.6.1_20150924

DCMTK-3.6.1_20160216

DCMTK-3.6.1_20160630

DCMTK-3.6.1_20161102

DCMTK-3.6.1_20170228

DCMTK-3.6.2

DCMTK-3.6.3

DCMTK-3.6.4

DCMTK-3.6.5

DCMTK-3.6.5+_20191213

DCMTK-3.6.6