CVE-2022-2119 HIGH

CVE-2022-2119: OFFIS DCMTK Path Traversal

Vendor Offis
Product DCMTK
Weakness CWE-22 · Path traversal
Published June 24, 2022
Last update November 3, 2025

CVSS base score

7.5/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.

Key dates

02Disclosure timeline

June 24, 2022 CVE published
November 3, 2025 Record updated