CVE-2022-2120

Description

OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.

How to fix CVE-2022-2120

To remediate CVE-2022-2120, upgrade the affected package to a fixed version below.

Debian/dcmtk—upgrade to 3.6.5-1+deb11u4 or later

Is CVE-2022-2120 being exploited?

Moderate — EPSS is 5.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 3.6.5-1+deb11u4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-2120