Pynetdicom Library
Monthly
Arbitrary file write in the pynetdicom library's qrscp storage SCP application allows a remote, unauthenticated attacker to plant files at attacker-chosen paths on the receiving host. The qrscp C-STORE handler trusts a value taken from an incoming DICOM dataset and passes it into os.path.join() without sanitization, so a crafted instance identifier containing path-traversal sequences escapes the intended storage directory. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.8 and unauthenticated network reachability make this a high-priority issue for any exposed DICOM endpoint.
Arbitrary file write in the pynetdicom library's qrscp storage SCP application allows a remote, unauthenticated attacker to plant files at attacker-chosen paths on the receiving host. The qrscp C-STORE handler trusts a value taken from an incoming DICOM dataset and passes it into os.path.join() without sanitization, so a crafted instance identifier containing path-traversal sequences escapes the intended storage directory. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.8 and unauthenticated network reachability make this a high-priority issue for any exposed DICOM endpoint.