CVE-2024-42845: 
Linux Debian vulnerability analysis and mitigation

An eval Injection vulnerability (CVE-2024-42845) was discovered in the component invesalius/reader/dicom.py of InVesalius, affecting versions 3.1.99991 through 3.1.99998. The vulnerability allows attackers to execute arbitrary code via loading a crafted DICOM file. InVesalius is an open-source biomedical tool used worldwide for 3D medical imaging reconstruction based on DICOM files (NVD, Cybersecurity News).

The vulnerability is associated with the GetImagePosition() function that processes the DICOM standard tag (0x0020, 0x0032), which contains coordinates of the upper left-corner voxel of an image. The issue stems from the unsafe use of Python's eval() function on data extracted from DICOM files. The function processes image position values split by backslashes, where each value is evaluated using eval(), allowing for potential code execution. The vulnerability has received a CVSS 3.1 Base Score of 8.0 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD, Partywave Research).

The vulnerability could allow attackers to execute arbitrary code on systems running affected versions of InVesalius. Given that InVesalius is used in medical facilities worldwide for processing and viewing medical imaging data, successful exploitation could potentially compromise sensitive medical information and system integrity (Cybersecurity News).

Users of affected versions should update to the latest version of InVesalius when available. The vulnerability affects versions 3.1.99991 through 3.1.99998, and organizations should implement proper input validation techniques to prevent similar vulnerabilities (NVD).