CVE-2022-2120
Published: 24 June 2022
Summary
CVE-2022-2120 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Offis Dcmtk. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
OFFIS DCMTK versions prior to 3.6.7 contain a relative path traversal vulnerability in the service class user (SCU) component, tracked as CVE-2022-2120 under CWE-23 and CWE-22. The flaw permits an attacker to write DICOM files to arbitrary directories using controlled names, which can lead to remote code execution. The issue carries a CVSS 3.1 score of 7.5 reflecting adjacent-network attack vector, high attack complexity, and no required privileges or user interaction.
An unauthenticated attacker positioned on an adjacent network can exploit the SCU to deposit malicious DICOM files in locations that enable code execution on the affected system. This scenario targets medical imaging and DICOM-handling environments that rely on DCMTK for processing incoming studies or associations.
Public advisories from CISA (ICSMA-22-174-01) and Debian LTS detail the affected component and reference available updates that resolve the path traversal issue in version 3.6.7 and later.
EPSS for the CVE rose from low values after disclosure to a peak of 0.3287 on 2025-01-22 before receding to the current 0.0568, indicating a period of increased exploitation interest well after initial publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34406
Vulnerability details
OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.