SB2022062403 - Multiple vulnerabilities in OFFIS DCMTK

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022062403

SB2022062403 - Multiple vulnerabilities in OFFIS DCMTK

Published: June 24, 2022 Updated: August 18, 2023

Security Bulletin ID SB2022062403
Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 86% Low 14%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2022-2119)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the service class provider (SCP). A remote attacker on the local network can send a specially crafted HTTP request and write arbitrary files on the system, leading to remote code execution.


2) Path traversal (CVE-ID: CVE-2022-2120)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the service class user (SCU). A remote attacker can send a specially crafted HTTP request and write arbitrary files on the system, leading to remote code execution.


3) NULL pointer dereference (CVE-ID: CVE-2022-2121)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error while processing DICOM files. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


4) NULL pointer dereference (CVE-ID: CVE-2021-41689)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


5) Memory leak (CVE-ID: CVE-2021-41687)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak. A remote attacker can force the application to leak memory and perform denial of service attack.


6) Memory leak (CVE-ID: CVE-2021-41690)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak. A remote attacker can force the application to leak memory and perform denial of service attack.


7) Double Free (CVE-ID: CVE-2021-41688)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error. A remote attacker can pass specially crafted data to the application, trigger a double free error and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References