Security Advisories
Responsible vulnerability disclosures from our security research.
As part of our security research, we identify and responsibly disclose vulnerabilities in software used in healthcare and critical infrastructure. We work closely with vendors to ensure issues are resolved before publication. Each advisory below documents a confirmed vulnerability along with its impact and recommended mitigation.
ePA-VAU client research
Several advisories below belong to a recurring weakness pattern in lib-vau-based ePA client implementations. We collected them on one page.
View ePA-VAU summarymercure
DICOM Orchestrator
4 Critical5 High1 Medium
mercure
DICOM Orchestrator
mercure
Unauthenticated Remote Code Execution in the DICOM Receiver
mercure
Code Injection via eval() Sandbox Escape in Routing Rules
mercure
Server-Side Template Injection in the Notification System
mercure
Arbitrary Docker Container Configuration Leading to Host Compromise
mercure
Privilege Escalation via Missing Authorization on User Edit
mercure
Pickle Deserialization via Unauthenticated Redis
mercure
Command Injection via the subservice Log Parameter
mercure
Command Injection via Unquoted Target Fields in Connection Tests
mercure
Command Injection via Unquoted SFTP Password
mercure
SQL Injection in the Bookkeeper Query Endpoints
Orthanc
PACS / DICOM Server
3 Critical6 High
Orthanc
PACS / DICOM Server
Orthanc DICOM Server
Heap Buffer Overflow in DICOM Image Decoder (Palette Color Decode)
Orthanc DICOM Server
Heap Buffer Overflow in DICOM Image Decoder via VR UL Dimensions
Orthanc DICOM Server
Out-of-Bounds Read in DICOM Image Decoder (DecodeLookupTable)
Orthanc DICOM Server
Out-of-Bounds Read in DicomStreamReader Meta-Header Parser
Orthanc DICOM Server
Memory Exhaustion via Unbounded Content-Length
Orthanc DICOM Server
Memory Exhaustion via Forged ZIP Metadata
Orthanc DICOM Server
GZIP Decompression Bomb via Content-Encoding Header
Orthanc DICOM Server
Out-of-Bounds Read in DICOM Image Decoder (PMSCT_RLE1 Decompression)
Orthanc DICOM Server
Heap Buffer Overflow in PAM Image Buffer Allocation
gematik
German Healthcare Infrastructure
1 Critical3 High1 Medium
gematik
German Healthcare Infrastructure
gematik Authenticator
Authentication Flow Hijack
gematik Authenticator
Remote Code Execution via a Crafted Keychain File
gematik lib-vau / lib-vau-csharp
AES-GCM Nonce Reuse in VAU Server Encryption
gematik lib-vau / lib-vau-csharp
VAU Handshake Performs Only 2 of 6 Required Server-Key Checks
gematik ref-idp-server
Open Redirect via Unvalidated redirect_uri
fbeta GmbH
ePA3-Service (DiGA-Konnektormodul)
1 Critical2 High1 Medium
fbeta GmbH
ePA3-Service (DiGA-Konnektormodul)
fbeta ePA3-Service-OpenSource
VAU Server Authentication Bypass via Circular Certificate Trust
fbeta ePA3-Service-OpenSource
TLS Certificate Verification Universally Disabled
fbeta ePA3-Service-OpenSource
AES-GCM Nonce Reuse via Frozen VAU Request Counter
fbeta ePA3-Service-OpenSource
HTTP Header Injection in VAU Inner Requests
DCMTK
OFFIS DICOM Toolkit
1 Critical
DCMTK
OFFIS DICOM Toolkit
OpenMRS
Electronic Medical Record Platform
1 Critical
OpenMRS
Electronic Medical Record Platform
OpenReception
Appointment Booking Software
1 Critical
OpenReception
Appointment Booking Software
Oviva
ePA Client (Elektronische Patientenakte)
3 High1 Medium
Oviva
ePA Client (Elektronische Patientenakte)
Oviva epa4all-client
VAU Signature Verification Bypass
Oviva epa4all-client
TLS Certificate Validation Disabled in Production
Oviva epa4all-client
IDP Discovery Document Signature Bypass
Oviva epa4all-rest-service
Unauthenticated REST API for Patient Record Writes
med-united
ePA-Middleware (Primärsystem)
2 High
med-united
ePA-Middleware (Primärsystem)
OHIF
Web-Based DICOM Viewer
1 High
OHIF
Web-Based DICOM Viewer
Robert Koch Institut (RKI)
Metadata Exchange Platform
1 High
Robert Koch Institut (RKI)
Metadata Exchange Platform