CVE-2024-42845

Name of the Vulnerable Software and Affected Versions InVesalius versions 3.1.99991 through 3.1.99998

Description The issue is related to an eval Injection vulnerability in the invesalius/reader/dicom.py component, which allows attackers to execute arbitrary code via loading a crafted DICOM file. This vulnerability is associated with insufficient input validation, enabling a remote attacker to execute arbitrary code by loading a specially crafted DICOM file. The vulnerability is linked to a function in the software that processes the DICOM standard.

Recommendations For InVesalius versions 3.1.99991 through 3.1.99998, consider disabling the dicom.py component in the invesalius/reader directory until a patch is available to prevent the execution of arbitrary code via crafted DICOM files. Restrict access to the DICOM file import functionality to minimize the risk of exploitation. Avoid using the vulnerable dicom.py component for loading DICOM files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.