CVE-2018-20250 - OpenCVE

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Rarlab	Winrar

Configuration 1 [-]

cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html	Third Party Advisory VDB Entry
http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace	Third Party Advisory
http://www.securityfocus.com/bid/106948	Third Party Advisory VDB Entry
https://github.com/blau72/CVE-2018-20250-WinRAR-ACE	Exploit Third Party Advisory
https://research.checkpoint.com/extracting-code-execution-from-winrar/	Exploit Third Party Advisory
https://www.exploit-db.com/exploits/46552/	Exploit VDB Entry Third Party Advisory
https://www.exploit-db.com/exploits/46756/	Exploit VDB Entry Third Party Advisory
https://www.win-rar.com/whatsnew.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: checkpoint

Published: 2019-02-05T00:00:00

Updated: 2019-04-25T18:06:08

Reserved: 2018-12-19T00:00:00

Link: CVE-2018-20250

JSON object: View

NVD Information

Status : Modified

Published: 2019-02-05T20:29:00.243

Modified: 2019-10-09T23:39:36.057

Link: CVE-2018-20250

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "WinRAR", "vendor": "Check Point Software Technologies Ltd.", "versions": [{"status": "affected", "version": "All versions prior and including 5.61"}]}], "datePublic": "2019-02-05T00:00:00", "descriptions": [{"lang": "en", "value": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-36", "description": "CWE-36: Absolute Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-04-25T18:06:08", "orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45", "shortName": "checkpoint"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"}, {"tags": ["x_refsource_MISC"], "url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"}, {"name": "46552", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46552/"}, {"name": "106948", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106948"}, {"tags": ["x_refsource_MISC"], "url": "https://www.win-rar.com/whatsnew.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"}, {"name": "46756", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46756/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@checkpoint.com", "DATE_PUBLIC": "2019-02-05T00:00:00", "ID": "CVE-2018-20250", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WinRAR", "version": {"version_data": [{"version_value": "All versions prior and including 5.61"}]}}]}, "vendor_name": "Check Point Software Technologies Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-36: Absolute Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE", "refsource": "MISC", "url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"}, {"name": "https://research.checkpoint.com/extracting-code-execution-from-winrar/", "refsource": "MISC", "url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"}, {"name": "46552", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46552/"}, {"name": "106948", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106948"}, {"name": "https://www.win-rar.com/whatsnew.html", "refsource": "MISC", "url": "https://www.win-rar.com/whatsnew.html"}, {"name": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"}, {"name": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace", "refsource": "MISC", "url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"}, {"name": "46756", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46756/"}]}}}}, "cveMetadata": {"assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45", "assignerShortName": "checkpoint", "cveId": "CVE-2018-20250", "datePublished": "2019-02-05T00:00:00", "dateReserved": "2018-12-19T00:00:00", "dateUpdated": "2019-04-25T18:06:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"cisaActionDue": "2022-08-15", "cisaExploitAdd": "2022-02-15", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "WinRAR Absolute Path Traversal Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EA0C7CE-99E6-4C92-AE89-6C6A8DF92126", "versionEndIncluding": "5.61", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."}, {"lang": "es", "value": "En WinRAR, en versiones anteriores a la 5.61, hay una vulnerabilidad de salto de directorio al manipular el campo \"filename\" del formato ACE (en UNACEV2.dll). Cuando este campo se manipula con patrones espec\u00edficos, la carpeta de destino (extracci\u00f3n) se ignora, tratando el nombre de archivo como ruta absoluta."}], "id": "CVE-2018-20250", "lastModified": "2019-10-09T23:39:36.057", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-05T20:29:00.243", "references": [{"source": "cve@checkpoint.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"}, {"source": "cve@checkpoint.com", "tags": ["Third Party Advisory"], "url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"}, {"source": "cve@checkpoint.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106948"}, {"source": "cve@checkpoint.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"}, {"source": "cve@checkpoint.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"}, {"source": "cve@checkpoint.com", "tags": ["Exploit", "VDB Entry", "Third Party Advisory"], "url": "https://www.exploit-db.com/exploits/46552/"}, {"source": "cve@checkpoint.com", "tags": ["Exploit", "VDB Entry", "Third Party Advisory"], "url": "https://www.exploit-db.com/exploits/46756/"}, {"source": "cve@checkpoint.com", "tags": ["Vendor Advisory"], "url": "https://www.win-rar.com/whatsnew.html"}], "sourceIdentifier": "cve@checkpoint.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-36"}], "source": "cve@checkpoint.com", "type": "Secondary"}]}