In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
Published 2019-02-05 20:29:00
Updated 2019-10-09 23:39:36
View at NVD,   CVE.org
Vulnerability category: Directory traversal

CVE-2018-20250 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
WinRAR Absolute Path Traversal Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution
Added on 2022-02-15 Action due date 2022-08-15

Exploit prediction scoring system (EPSS) score for CVE-2018-20250

Probability of exploitation activity in the next 30 days: 97.39%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2018-20250

  • RARLAB WinRAR ACE Format Input Validation Remote Code Execution
    Disclosure Date: 2019-02-05
    First seen: 2020-04-26
    exploit/windows/fileformat/winrar_ace
    In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, t

CVSS scores for CVE-2018-20250

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source
6.8
MEDIUM AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6
6.4
NIST
7.8
HIGH CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1.8
5.9
NIST

CWE ids for CVE-2018-20250

  • The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
    Assigned by: nvd@nist.gov (Primary)
  • The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
    Assigned by: cve@checkpoint.com (Secondary)

References for CVE-2018-20250

Products affected by CVE-2018-20250

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!