DCMTK Vulnerabilities
Canon Medical Systems Security Advisory
Overview:
It was announced that there are security vulnerabilities that affects OFFIS DCMTK. DCMTK is a collection of libraries and software for processing DICOM image files. Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution.
Vulnerability Overview:
| CVE ID | Description | CVSS v3.1 |
| CVE-2022-2119 | The affected product’s service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution. | 7.5 |
| CVE-2022-2120 | The affected product’s service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution. | 7.5 |
| CVE-2022-2121 | The affected product has a NULL pointer dereference vulnerability while processing DICOM files, which may result in a denial-of-service condition. | 6.5 |
Possible Affected Canon Medical Systems Products:
There are no Medical Imaging Products which are using DCMTK.
Resolution:
None
