pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy(), write(), and remove()+write(use_existing=True) use that unchecked path in file I/O operations.
This allows arbitrary file read/copy and, in some flows, move/delete outside the File-set root. This issue has been fixed in version 3.0.2.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Pydicom Pydicom
cpe:2.3:a:pydicom:pydicom:*:*:*:*:*:python:*:*
|
2.0.0
|
3.0.2
|
References 3
https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585…
security-advisories@github.com
https://github.com/pydicom/pydicom/releases/tag/v3.0.2
security-advisories@github.com
https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28
security-advisories@github.com