Headline
Debian Security Advisory 5473-1
Debian Linux Security Advisory 5473-1 - It was discovered that authenticated API users of Orthanc, a DICOM server for medical imaging, could overwrite arbitrary files and in some setups execute arbitrary code.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5473-1 [email protected]://www.debian.org/security/ Moritz MuehlenhoffAugust 08, 2023 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : orthancCVE ID : CVE-2023-33466Debian Bug : 1040597It was discovered that authenticated API users of Orthanc, a DICOM serverfor medical imaging, could overwrite arbitrary files and in some setupsexecute arbitrary code.This update backports the option RestApiWriteToFileSystemEnabled,setting it to 'true' in /etc/orthanc/orthanc.json restores the previousbehaviour.For the oldstable distribution (bullseye), this problem has been fixedin version 1.9.2+really1.9.1+dfsg-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.10.1+dfsg-2+deb12u1.We recommend that you upgrade your orthanc packages.For the detailed security status of orthanc please refer toits security tracker page at:https://security-tracker.debian.org/tracker/orthancFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTSsBIACgkQEMKTtsN8TjZSQhAAkS1bDC6kIHlJ8O3C97YWTRlGbfxkXNMhpBWWSuNjJg3ihLR7/xK51ByjjFKubvF7W6UrBMcyFExgS+N2H6Goq1+rJFTFbXhVbUj6rC1efmaARRIrIO3CKzCa+F5pPAGerH+5v63FR2j1OLsUMQCqSQ3MuyK9rWBZslgANbxiSD32Ad3p5BMuthzJ6MVNBJYuhaimz2cE0WM+R/no8YNn+39mF7YZ2NjZ6Pnn9+/TDmr98QKsS0J+hgqEEnmOLEy2+cmSf3Hsx/sy3vAypOYOQGnSksIiDroJSc05hrY2qfA8xbf4VoRhLvAP1uRSBedq8wcFY8hBYNWP6s+NLrbi/2FCtcKc+72yafo+zsx8jyoBYZVGFxKAphgknB+/RIs2nUquwnb2I4hJ33jrZmoQfET1qOsWF0LSzwtpmK7AXPWEQAScFQwJdr7OMyYTLETLarSDp+dKCScD9RVGxOMymCd8T04eoPJY1jN+pOPRpxSpqnp1nSg4CqXa2TALlopKmhWwDVDYX/6lGDn3Ms39vI1D+8nQHYkxM3SOEGIh8vMkLSQEIcTy7KE+ExdokmdAVz7SAAiWwuP5skdGTYKSUyoywpeEQ0yIDaibqjicl/Hu3z9fzk8VO+k+ReO61jByNIdgOTvWv1+VSelOI2L1hSFGXwtWHluosWK0hClZyhU==yZYs-----END PGP SIGNATURE-----Related news
CVE-2023-33466: Security advisory for Orthanc deployments running versions before 1.12.0
Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).