OpenCVE

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rarlab	Winrar

Configuration 1 [-]

cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html
http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace
http://www.securityfocus.com/bid/106948
https://github.com/blau72/CVE-2018-20250-WinRAR-ACE
https://research.checkpoint.com/extracting-code-execution-from-winrar/
https://www.exploit-db.com/exploits/46552/
https://www.exploit-db.com/exploits/46756/
https://www.win-rar.com/whatsnew.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: checkpoint

Published: 2019-02-05T20:00:00Z

Updated: 2024-09-17T00:11:50.340Z

Reserved: 2018-12-19T00:00:00

Link: CVE-2018-20250

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-02-05T20:29:00.243

Modified: 2024-11-21T04:01:10.173

Link: CVE-2018-20250

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "WinRAR", "vendor": "Check Point Software Technologies Ltd.", "versions": [{"status": "affected", "version": "All versions prior and including 5.61"}]}], "datePublic": "2019-02-05T00:00:00", "descriptions": [{"lang": "en", "value": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-36", "description": "CWE-36: Absolute Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-04-25T18:06:08", "orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45", "shortName": "checkpoint"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"}, {"tags": ["x_refsource_MISC"], "url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"}, {"name": "46552", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46552/"}, {"name": "106948", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106948"}, {"tags": ["x_refsource_MISC"], "url": "https://www.win-rar.com/whatsnew.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"}, {"name": "46756", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46756/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@checkpoint.com", "DATE_PUBLIC": "2019-02-05T00:00:00", "ID": "CVE-2018-20250", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WinRAR", "version": {"version_data": [{"version_value": "All versions prior and including 5.61"}]}}]}, "vendor_name": "Check Point Software Technologies Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-36: Absolute Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE", "refsource": "MISC", "url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"}, {"name": "https://research.checkpoint.com/extracting-code-execution-from-winrar/", "refsource": "MISC", "url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"}, {"name": "46552", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46552/"}, {"name": "106948", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106948"}, {"name": "https://www.win-rar.com/whatsnew.html", "refsource": "MISC", "url": "https://www.win-rar.com/whatsnew.html"}, {"name": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"}, {"name": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace", "refsource": "MISC", "url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"}, {"name": "46756", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46756/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:58:19.126Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"}, {"name": "46552", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/46552/"}, {"name": "106948", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/106948"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.win-rar.com/whatsnew.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"}, {"name": "46756", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/46756/"}]}]}, "cveMetadata": {"assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45", "assignerShortName": "checkpoint", "cveId": "CVE-2018-20250", "datePublished": "2019-02-05T20:00:00Z", "dateReserved": "2018-12-19T00:00:00", "dateUpdated": "2024-09-17T00:11:50.340Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"cisaActionDue": "2022-08-15", "cisaExploitAdd": "2022-02-15", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "WinRAR Absolute Path Traversal Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EA0C7CE-99E6-4C92-AE89-6C6A8DF92126", "versionEndIncluding": "5.61", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."}, {"lang": "es", "value": "En WinRAR, en versiones anteriores a la 5.61, hay una vulnerabilidad de salto de directorio al manipular el campo \"filename\" del formato ACE (en UNACEV2.dll). Cuando este campo se manipula con patrones espec\u00edficos, la carpeta de destino (extracci\u00f3n) se ignora, tratando el nombre de archivo como ruta absoluta."}], "id": "CVE-2018-20250", "lastModified": "2024-11-21T04:01:10.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-05T20:29:00.243", "references": [{"source": "cve@checkpoint.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"}, {"source": "cve@checkpoint.com", "tags": ["Third Party Advisory"], "url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"}, {"source": "cve@checkpoint.com", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106948"}, {"source": "cve@checkpoint.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"}, {"source": "cve@checkpoint.com", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"}, {"source": "cve@checkpoint.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46552/"}, {"source": "cve@checkpoint.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46756/"}, {"source": "cve@checkpoint.com", "tags": ["Release Notes"], "url": "https://www.win-rar.com/whatsnew.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106948"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46552/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46756/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.win-rar.com/whatsnew.html"}], "sourceIdentifier": "cve@checkpoint.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-36"}], "source": "cve@checkpoint.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}