1212884 – (CVE-2023-33466) VUL-0: CVE-2023-33466: orthanc: File overwrite can lead to remote code execution

Bug 1212884 (CVE-2023-33466) - VUL-0: CVE-2023-33466: orthanc: File overwrite can lead to remote code execution

Summary: VUL-0: CVE-2023-33466: orthanc: File overwrite can lead to remote code execution

Status:	IN_PROGRESS

Alias:	CVE-2023-33466

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Axel Braun
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/370897/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-30 08:08 UTC by Cathy Hu
Modified:	2023-06-30 18:42 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cathy Hu 2023-06-30 08:08:34 UTC

CVE-2023-33466

Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API
to overwrite arbitrary files on the file system, and in specific deployment
scenarios allows the attacker to overwrite the configuration, which can be
exploited to trigger Remote Code Execution (RCE).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33466
https://www.cve.org/CVERecord?id=CVE-2023-33466
https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568

Comment 1 Cathy Hu 2023-06-30 08:09:23 UTC

Affected:
- openSUSE:Backports:SLE-15-SP4/orthanc           1.11.0

Not Affected:
- openSUSE:Factory/orthanc                        1.12.0

Comment 2 Axel Braun 2023-06-30 18:42:09 UTC

SR #1096196 sumitted