第三方 DICOM 私有标签的不安全 XML 解析可能会导致 XXE (CVE-2023-3892)
CVE编号
CVE-2023-3892利用情况
暂无补丁情况
N/A披露时间
2023-09-19漏洞描述
Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data. Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+). This issue was found and analyzed by MIM Software's internal security team. We are unaware of any proof of concept or actual exploit available in the wild. For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892 This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3.解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://www.mimsoftware.com/cve-2023-3892 |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | mimsoftware | assistant | 7.2.10 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mimsoftware | assistant | 7.3.3 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mimsoftware | client | 7.2.10 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mimsoftware | client | 7.3.3 | - | |||||
- 攻击路径 相邻
- 攻击复杂度 低
- 权限要求 低
- 影响范围 未更改
- 用户交互 需要
- 可用性 高
- 保密性 高
- 完整性 高
| CWE-ID | 漏洞类型 |
| CWE-611 | XML外部实体引用的不恰当限制(XXE) |
Exp相关链接
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论