pydicom Path Traversal Vulnerability in FileSet Operations

A path traversal vulnerability has been identified in the pydicom library, specifically in versions 2.0.0-rc.1 through 3.0.1. The issue arises when a crafted DICOMDIR file sets the ReferencedFileID to a path outside the File-set root. pydicom only verifies the existence of the path without ensuring it remains within the File-set boundaries. This oversight allows subsequent FileSet operations, such as copy, write, and remove combined with write(use_existing=True), to access or manipulate files outside the intended directory, potentially leading to unauthorized file read, copy, move, or delete actions.

Impact

Exploitation of this vulnerability allows arbitrary file operations outside the File-set root, including reading, copying, moving, and deleting files. This could result in unauthorized access to sensitive files or disruption of file management processes.

Reproduction

To reproduce this vulnerability, upload a DICOM File-set containing a DICOMDIR file. Modify the DICOMDIR to include a ReferencedFileID that points to a file outside the File-set root, such as a system file or a file in the temporary directory. After uploading the modified DICOMDIR, use FileSet operations to export or reorganize the File-set. The contents of the referenced external file will be included in the exported result.

Remediation

Users can upgrade to pydicom version 3.0.2, which addresses this vulnerability by adding checks to ensure that ReferencedFileID paths remain within the File-set root before allowing file operations.