LiveActive security incident?Get immediate response
CVE Record

CVE-2020-36855: DCMTK dcmqrscp parseQuota stack-based overflow

A security vulnerability has been detected in DCMTK up to 3.6.5. The affected element is the function parseQuota of the component dcmqrscp. The manipulation of the argument StorageQuota leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Upgrading to version 3.6.6 is sufficient to fix this issue. The identifier of the patch is 0fef9f02e. It is recommended to upgrade the affected component.

MediumCVSS 5.3Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

DCMTK is open-source software widely used by hospitals and imaging vendors to handle medical imaging (DICOM) data. A flaw in its dcmqrscp storage server lets a logged-in local user crash or potentially manipulate the program by abusing a storage-quota setting. The vendor fixed it in DCMTK 3.6.6, so upgrading resolves the issue.

Executive priority

Schedule as routine patching. The flaw is medium severity, requires local access, and a vendor fix exists. Prioritize healthcare imaging or PACS-adjacent systems where DCMTK is in production, but no emergency response is indicated by the public sources.

Technical view

A stack-based buffer overflow (CWE-121/CWE-119) in the parseQuota function of dcmqrscp in DCMTK versions 3.6.0 through 3.6.5 can be triggered by manipulating the StorageQuota argument. CVSS 3.1 is 5.3 (AV:L/AC:L/PR:L/UI:N) reflecting local access and low privileges. Public exploit material is referenced. Patch commit 0fef9f02e ships in DCMTK 3.6.6.

Likely exposure

Exposure is limited to environments running DCMTK's dcmqrscp DICOM storage/query-retrieve service where untrusted local users can influence configuration or invoke the binary. Most risk lies in healthcare imaging gateways, PACS test systems, and research workstations using DCMTK 3.6.5 or earlier.

Exploitation context

Not listed in CISA KEV. Sources note the exploit has been publicly disclosed and may be used, but no in-the-wild campaigns are cited. Attack vector is local with low privileges and no user interaction, limiting remote mass-exploitation but enabling insider or post-compromise abuse.

Researcher notes

CWE-121 stack overflow in parseQuota; CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L with E:P/RL:O/RC:C indicates proof-of-concept exists, official remediation is available, and confirmation is high. No KEV entry. Validate by diffing against upstream commit 0fef9f02e and check downstream distros and embedded medical-device firmware that may lag behind 3.6.6.

Mitigation direction

  • Upgrade DCMTK to version 3.6.6 or later, which contains patch commit 0fef9f02e.
  • Restrict local access to systems running dcmqrscp to trusted administrators only.
  • Tighten file and configuration permissions on dcmqrscp StorageQuota inputs.
  • Inventory imaging gateways and embedded products that bundle DCMTK and confirm vendor patch status.
  • Monitor dcmqrscp processes for unexpected crashes or restarts.

Validation and detection

  • Run dcmqrscp --version and compare against 3.6.6 or later on each host.
  • Search software inventories and SBOMs for DCMTK components below 3.6.6.
  • Check vendor advisories for medical imaging products that embed DCMTK.
  • Confirm patch commit 0fef9f02e is present in any locally built DCMTK binaries.
  • Review local account access and sudo rights on hosts running dcmqrscp.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-119: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-121: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-36855 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
6Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.3CVSS 3.1MediumCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C1.83.4Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

5.3Medium
CVSS 3.1 vector shape for CVE-2020-36855Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/aDCMTK3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.