CVE-2022-2119: 
NixOS vulnerability analysis and mitigation

OFFIS DCMTK's service class provider (SCP) versions prior to 3.6.7 were identified with a path traversal vulnerability. The vulnerability was discovered by Noam Moshe of Claroty and was publicly disclosed on June 23, 2022. This security flaw affects the DCMTK libraries and software that process DICOM image files, which are widely deployed in healthcare and public health sectors worldwide (CISA Advisory).

The vulnerability is classified as an improper limitation of a pathname to a restricted directory (Path Traversal - CWE-22). It received a CVSS v3 base score of 7.5 with the vector string (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw exists in the service class provider (SCP), allowing attackers to write DICOM files into arbitrary directories under controlled names (CISA Advisory, NVD).

Successful exploitation of this vulnerability could allow attackers to write malformed DICOM files into arbitrary directories and potentially achieve remote code execution. The vulnerability affects healthcare and public health sectors, particularly systems using DCMTK for DICOM image file processing (CISA Advisory).

OFFIS recommends users update to Version 3.6.7 or later. CISA advises implementing defensive measures including minimizing network exposure for control system devices, ensuring systems are not accessible from the Internet, locating control system networks behind firewalls, and isolating them from business networks. When remote access is required, secure methods such as VPNs should be used, ensuring they are updated to the most current version (CISA Advisory).