CVE-2024-28130

2024-04-2315:15:49

CWE-704

[email protected]

web.nvd.nist.gov

type conversion

vulnerability

offis dcmtk 3.6.8

arbitrary code execution

malicious file

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.0%

JSON

An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS DCMTK 3.6.8. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Affected configurations

Vulners

Node

offisdcmtkRange≤3.6.8

VendorProductVersionCPE
offisdcmtk*cpe:2.3:a:offis:dcmtk:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
offis	dcmtk	*	cpe:2.3:a:offis:dcmtk::::::::

CNA Affected

[
  {
    "vendor": "OFFIS",
    "product": "DCMTK",
    "versions": [
      {
        "version": "3.6.8",
        "status": "affected"
      }
    ]
  }
]