CVE-2022-2119
dcmtk - security update
9.8
CRITICAL
CVSS 3.1
EPSS 5.7%
Description
OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.
How to fix CVE-2022-2119
To remediate CVE-2022-2119, upgrade the affected package to a fixed version below.
- Debian/dcmtk—upgrade to 3.6.5-1+deb11u4 or later
- —upgrade to 3.6.5-1+deb11u4 or later
Is CVE-2022-2119 being exploited?
Moderate — EPSS is 5.7%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 3.6.5-1+deb11u4
- from 0, < 3.6.5-1+deb11u4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |