CVE-2022-2120: 
NixOS vulnerability analysis and mitigation

CVE-2022-2120 affects OFFIS DCMTK's service class user (SCU) in all versions prior to 3.6.7. The vulnerability was discovered and disclosed in June 2022, impacting libraries and software that process DICOM image files. This security flaw allows attackers to perform relative path traversal attacks, potentially compromising healthcare and public health infrastructure worldwide (CISA Advisory, NVD).

The vulnerability is classified as a relative path traversal issue (CWE-23) that affects the service class user component. It has been assigned a CVSS v3 base score of 7.5 with the vector string (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). The technical nature of the vulnerability allows an attacker to write DICOM files into arbitrary directories under controlled names (CISA Advisory).

The successful exploitation of this vulnerability could lead to remote code execution by allowing attackers to write DICOM files into arbitrary directories under controlled names. This poses significant risks particularly to healthcare and public health sectors, where DICOM file processing is crucial for medical imaging systems (CISA Advisory).

OFFIS recommends updating to Version 3.6.7 or later to address this vulnerability. CISA advises implementing additional defensive measures including minimizing network exposure for all control system devices, ensuring systems are not accessible from the Internet, and placing control system networks behind firewalls isolated from business networks. When remote access is required, secure methods such as VPNs should be used (CISA Advisory).