Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Important Announcement DSA-5473-2 Regarding Orthanc RCE and File Issues

debian
Calendar Grey August 8, 2023
Debian Logo
Verified API clients of Orthanc possess the capability to modify files or run scripts. An update is advised for users operating on Debian.
It was discovered that authenticated API users of Orthanc, a DICOM server for medical imaging, could overwrite arbitrary files and in some setups execute arbitrary code
Topics%20covered

Topics Covered

security advisory critical code execution debian file overwrite orthanc DICOM server

Summary

It was discovered that authenticated API users of Orthanc, a DICOM server
for medical imaging, could overwrite arbitrary files and in some setups
execute arbitrary code.

This update backports the option RestApiWriteToFileSystemEnabled,
setting it to 'true' in /etc/orthanc/orthanc.json restores the previous
behaviour.

For the oldstable distribution (bullseye), this problem has been fixed
in version 1.9.2+really1.9.1+dfsg-1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in
version 1.10.1+dfsg-2+deb12u1.

We recommend that you upgrade your orthanc packages.

For the detailed security status of orthanc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/orthanc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



Severity
important
Lowest
Low
Medium
High
Critical

Package: orthanc
CVE ID: CVE-2023-33466

Topics%20covered

Topics Covered

security advisory critical code execution debian file overwrite orthanc DICOM server

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here