CVE-2018-20250

{"id": "CVE-2018-20250", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2019-02-05T20:29:00.243", "references": [{"url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@checkpoint.com"}, {"url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace", "tags": ["Third Party Advisory"], "source": "cve@checkpoint.com"}, {"url": "http://www.securityfocus.com/bid/106948", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "cve@checkpoint.com"}, {"url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@checkpoint.com"}, {"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "source": "cve@checkpoint.com"}, {"url": "https://www.exploit-db.com/exploits/46552/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@checkpoint.com"}, {"url": "https://www.exploit-db.com/exploits/46756/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@checkpoint.com"}, {"url": "https://www.win-rar.com/whatsnew.html", "tags": ["Release Notes"], "source": "cve@checkpoint.com"}, {"url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/106948", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.exploit-db.com/exploits/46552/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.exploit-db.com/exploits/46756/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.win-rar.com/whatsnew.html", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20250", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve@checkpoint.com", "description": [{"lang": "en", "value": "CWE-36"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."}, {"lang": "es", "value": "En WinRAR, en versiones anteriores a la 5.61, hay una vulnerabilidad de salto de directorio al manipular el campo \"filename\" del formato ACE (en UNACEV2.dll). Cuando este campo se manipula con patrones espec\u00edficos, la carpeta de destino (extracci\u00f3n) se ignora, tratando el nombre de archivo como ruta absoluta."}], "lastModified": "2025-10-22T00:16:22.550", "cisaActionDue": "2022-08-15", "cisaExploitAdd": "2022-02-15", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7EA0C7CE-99E6-4C92-AE89-6C6A8DF92126", "versionEndIncluding": "5.61"}], "operator": "OR"}]}], "sourceIdentifier": "cve@checkpoint.com", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "WinRAR Absolute Path Traversal Vulnerability"}