Bug 1212884 (CVE-2023-33466)

Summary: VUL-0: CVE-2023-33466: orthanc: File overwrite can lead to remote code execution
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Axel Braun <axel.braun>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370897/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-06-30 08:08:34 UTC 
CVE-2023-33466

Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API
to overwrite arbitrary files on the file system, and in specific deployment
scenarios allows the attacker to overwrite the configuration, which can be
exploited to trigger Remote Code Execution (RCE).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33466
https://www.cve.org/CVERecord?id=CVE-2023-33466
https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568
Comment 1 Cathy Hu 2023-06-30 08:09:23 UTC 
Affected:
- openSUSE:Backports:SLE-15-SP4/orthanc           1.11.0

Not Affected:
- openSUSE:Factory/orthanc                        1.12.0
Comment 2 Axel Braun 2023-06-30 18:42:09 UTC 
SR #1096196 sumitted