The DICOM listener in OsiriX before 5.8 and before 2.5-MD, when starting up, encrypts the TLS private key file using "SuperSecretPassword" as the hardcoded password, which allows local users to obtain the private key.
OsiriX suffers from a private key disclosure vulnerability. All versions up to and including 5.7.1/2.7-MD are affected. The fix was introduced in version 5.8 and 2.8-MD.