DEBIAN-CVE-2022-2120

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2022-2120
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2022-2120.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2022-2120
Upstream
Published
2022-06-24T15:15:10.743Z
Modified
2025-11-14T04:04:57.692820Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.

References

Affected packages

Debian:11 / dcmtk

Package

Name
dcmtk
Purl
pkg:deb/debian/dcmtk?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.5-1+deb11u4

Affected versions

3.*

3.6.5-1
3.6.5-1+deb11u1
3.6.5-1+deb11u2
3.6.5-1+deb11u3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / dcmtk

Package

Name
dcmtk
Purl
pkg:deb/debian/dcmtk?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.7-6

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / dcmtk

Package

Name
dcmtk
Purl
pkg:deb/debian/dcmtk?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.7-6

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / dcmtk

Package

Name
dcmtk
Purl
pkg:deb/debian/dcmtk?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.7-6

Ecosystem specific 

{
    "urgency": "not yet assigned"
}