CVE-2023-33466
Debian Security Advisory 5473-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).
Orthanc antes de 1.12.0 permite a los usuarios autenticados con acceso a la API de Orthanc sobrescribir archivos arbitrarios en el sistema de archivos y, en escenarios de implementación específicos, permite al atacante sobrescribir la configuración, que puede aprovecharse para desencadenar la Ejecución Remota de Código (RCE).
It was discovered that authenticated API users of Orthanc, a DICOM server for medical imaging, could overwrite arbitrary files and in some setups execute arbitrary code.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-05-22 CVE Reserved
- 2023-06-29 CVE Published
- 2024-11-26 CVE Updated
- 2025-02-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/09/msg00009.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Orthanc-server Search vendor "Orthanc-server" | Orthanc Search vendor "Orthanc-server" for product "Orthanc" | < 1.12.0 Search vendor "Orthanc-server" for product "Orthanc" and version " < 1.12.0" | - |
Affected
| ||||||