CVE-2022-30333 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitre	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
rarlab	unrar	𝑥 < 6.12
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rar

bullseye/non-free	2:6.23-1~deb11u1 fixed
stretch	no-dsa
bookworm/non-free	2:6.23-1~deb12u1 fixed
trixie/non-free	2:7.01-1 fixed
sid/non-free	2:7.01-1 fixed

unrar-nonfree

bullseye/non-free	1:6.0.3-1+deb11u3 fixed
stretch	no-dsa
bookworm/non-free	1:6.2.6-1+deb12u1 fixed
trixie/non-free	1:7.0.9-1 fixed
sid/non-free	1:7.0.9-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

libclamunrar

noble	not-affected
mantic	not-affected
lunar	Fixed 0.103.11-0ubuntu0.23.04.1 released
jammy	Fixed 0.103.11-0ubuntu0.22.04.1 released
focal	Fixed 0.103.11-0ubuntu0.20.04.1 released
bionic	needed
xenial	needed
trusty	ignored

rar

noble	Fixed 2:6.23-1 released
mantic	Fixed 2:6.23-1 released
lunar	ignored
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	ignored

unrar-nonfree

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	needed
impish	ignored
focal	needed
bionic	needed
xenial	needs-triage

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

http://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html

https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/

https://lists.debian.org/debian-lts-announce/2023/08/msg00022.html

https://security.gentoo.org/glsa/202309-04

https://www.rarlab.com/rar/rarlinux-x32-612.tar.gz

https://www.rarlab.com/rar_add.htm

http://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html

https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/

https://lists.debian.org/debian-lts-announce/2023/08/msg00022.html

https://security.gentoo.org/glsa/202309-04

https://www.rarlab.com/rar/rarlinux-x32-612.tar.gz

https://www.rarlab.com/rar_add.htm

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30333