CVE-2018-20250
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Check Point Software Technologies Ltd. | WinRAR | All versions prior and including 5.61 | affected |
Weaknesses
- CWE-36: CWE-36: Absolute Path Traversal
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/blau72/CVE-2018-20250-WinRAR-ACE
- https://research.checkpoint.com/extracting-code-execution-from-winrar/
- https://www.exploit-db.com/exploits/46552/
- http://www.securityfocus.com/bid/106948
- https://www.win-rar.com/whatsnew.html
- http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html
- http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace
- https://www.exploit-db.com/exploits/46756/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/blau72/CVE-2018-20250-WinRAR-ACE
- https://research.checkpoint.com/extracting-code-execution-from-winrar/
- https://www.exploit-db.com/exploits/46552/
- http://www.securityfocus.com/bid/106948
- https://www.win-rar.com/whatsnew.html
- http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html
- http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace
- https://www.exploit-db.com/exploits/46756/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.