CVE-2018-20250 : In WinRAR versions prior to and including 5.61, There is path traversal vulnerab

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

Published 2019-02-05 20:29:00

Updated 2025-03-13 17:07:29

Source Check Point Software Technologies Ltd.

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2018-20250

Rarlab » Winrar
Versions up to, including, (<=) 5.61
cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*
Matching versions

CVE-2018-20250 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.

CISA vulnerability name:

WinRAR Absolute Path Traversal Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2018-20250

Added on 2022-02-15 Action due date 2022-08-15

Exploit prediction scoring system (EPSS) score for CVE-2018-20250

EPSS FAQ

93.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2018-20250

RARLAB WinRAR ACE Format Input Validation Remote Code Execution

Disclosure Date: 2019-02-05

First seen: 2020-04-26

exploit/windows/fileformat/winrar_ace

In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, t

More information

CVSS scores for CVE-2018-20250

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-07
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST	2024-07-24
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-20250

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)
CWE-36 Absolute Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Assigned by: cve@checkpoint.com (Secondary)

References for CVE-2018-20250

http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace

RARLAB WinRAR ACE Format Input Validation Remote Code Execution | Rapid7
Third Party Advisory
http://www.securityfocus.com/bid/106948

WinRAR Multiple Security Vulnerabilities
Broken Link;Third Party Advisory;VDB Entry

CVEs referencing this url
https://github.com/blau72/CVE-2018-20250-WinRAR-ACE

GitHub - easis/CVE-2018-20250-WinRAR-ACE: Proof of concept code in C# to exploit the WinRAR ACE file extraction path (CVE-2018-20250).
Exploit;Third Party Advisory
https://research.checkpoint.com/extracting-code-execution-from-winrar/

Extracting a 19 Year Old Code Execution from WinRAR - Check Point Research
Exploit;Press/Media Coverage;Third Party Advisory

CVEs referencing this url
https://www.exploit-db.com/exploits/46552/

WinRAR 5.61 - Path Traversal
Exploit;Third Party Advisory;VDB Entry
https://www.win-rar.com/whatsnew.html

WinRAR download and support: Whats New
Release Notes

CVEs referencing this url
http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html

RARLAB WinRAR ACE Format Input Validation Remote Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://www.exploit-db.com/exploits/46756/

RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)
Exploit;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2018-20250