Overview
- Description
- In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
- Source
- cve@checkpoint.com
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
CVSS 2.0
- Type
- Primary
- Base score
- 6.8
- Impact score
- 6.4
- Exploitability score
- 8.6
- Vector string
- AV:N/AC:M/Au:N/C:P/I:P/A:P
Known exploits
Data from CISA
- Vulnerability name
- WinRAR Absolute Path Traversal Vulnerability
- Exploit added on
- Feb 15, 2022
- Exploit action due
- Aug 15, 2022
- Required action
- Apply updates per vendor instructions.
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7EA0C7CE-99E6-4C92-AE89-6C6A8DF92126",
"versionEndIncluding": "5.61"
}
],
"operator": "OR"
}
]
}
]