Improper Array Index Validation in OFFIS DCMTK Product
CVE-2024-47796

8.4HIGH

Key Information:

Vendor: Offis
Status: Dcmtk
Vendor: CVE Published:; 13 January 2025

What is CVE-2024-47796?

A vulnerability in the OFFIS DCMTK version 3.6.8 allows for improper array index validation due to the nowindow functionality. This flaw can be exploited by an attacker sending a specially crafted DICOM file, potentially leading to an out-of-bounds write, which could compromise the integrity of the application.

Affected Version(s)

DCMTK 3.6.8

References

https://talosintelligence.com/vulnerability_reports/TALOS...

https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e...

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 13, 2025
Vulnerability Reserved
Dec 3, 2024

Credit

Discovered by Emmanuel Tacheau of Cisco Talos.

Offis

What is CVE-2024-47796?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit