CVE-2022-48579 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitre	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Vendor	Product	Version
rarlab	unrar	𝑥 < 6.2.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

unrar-nonfree

bullseye/non-free	1:6.0.3-1+deb11u3 fixed
bookworm/non-free	1:6.2.6-1+deb12u1 fixed
trixie/non-free	1:7.0.9-1 fixed
sid/non-free	1:7.0.9-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

unrar-nonfree

noble	not-affected
mantic	not-affected
lunar	not-affected
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	ignored

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f#diff-ca3086f578522062d7e390ed2cd7e10f646378a8b8cbf287a6e4db5966df68ee

https://lists.debian.org/debian-lts-announce/2023/08/msg00023.html

https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f#diff-ca3086f578522062d7e390ed2cd7e10f646378a8b8cbf287a6e4db5966df68ee

https://lists.debian.org/debian-lts-announce/2023/08/msg00023.html