CVE-2023-33466

NameCVE-2023-33466
DescriptionOrthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3562-1, DSA-5473-1
Debian Bugs1040597

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
orthanc (PTS)buster1.5.6+dfsg-1vulnerable
buster (security)1.5.6+dfsg-1+deb10u1fixed
bullseye (security), bullseye1.9.2+really1.9.1+dfsg-1+deb11u1fixed
bookworm, bookworm (security)1.10.1+dfsg-2+deb12u1fixed
sid, trixie1.12.3+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
orthancsourcebuster1.5.6+dfsg-1+deb10u1DLA-3562-1
orthancsourcebullseye1.9.2+really1.9.1+dfsg-1+deb11u1DSA-5473-1
orthancsourcebookworm1.10.1+dfsg-2+deb12u1DSA-5473-1
orthancsource(unstable)1.12.1+dfsg-11040597

Notes

https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568
Requires the addition of a new RestApiWriteToFileSystemEnabled configuration and
a check in ExportInstanceFile (OrthancRestResources.cpp); the default value
could/work break behaviour.
Search for package or bug name: Reporting problems