Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-3892: 2023-3892 - MIM Software Inc.

Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup.

In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data.

Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+).

This issue was found and analyzed by MIM Software’s internal security team. We are unaware of any proof of concept or actual exploit available in the wild.

For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892

This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3.

CVE
Open in Source
#vulnerability#auth

Summary:

An issue was identified in MIM versions 7.2.10 and 7.3.3 that allows for an attacker to execute an external entity attack (XXE) by embedding certain malicious XML documents into specific DICOM RT object tags.

In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RT object metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data by either automated Assistant response or user action.

Customers on 7.2.10 are encouraged to update to 7.2.11 or higher.
Customers on 7.3.3 are encouraged to update to 7.3.4 or higher.

Referenced Common Weakness Enumerations:

CWE-611

Affected Products and Services:

MIM Assistant

MIM Client Application

Affected Versions:

Only 7.2.10 and 7.3.3.

Recommended Mitigation:

  • Primary Recommendation: Customers on an affected version are encouraged to upgrade to 7.2.11 or 7.3.4 as soon as reasonably possible.

  • Temporary/Tertiary Mitigation: Do not run MIM’s DICOM Store Service in promiscuous mode to prevent unauthorized DICOM nodes on your network from transferring malicious DICOM data to MIM applications or services. Ensure that all MIM Pacs remote patient lists on your network require authorization for write access.

Discovery:

This vulnerability was discovered by MIM Software’s internal security testing team.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE