CVE-2018-20250

high

Description

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

From the Tenable Blog

WinRAR Absolute Path Traversal Vulnerability Leads to Remote Code Execution (CVE-2018-20250)

WinRAR Absolute Path Traversal Vulnerability Leads to Remote Code Execution (CVE-2018-20250)

Published: 2019-02-25

A 19-year-old vulnerability in WinRAR’s ACE file format support (CVE-2018-20250) has been identified as part of an attack in the wild.

References

https://www.exploit-db.com/exploits/46756/

https://www.exploit-db.com/exploits/46552/

https://www.tenable.com/blog/winrar-absolute-path-traversal-vulnerability-leads-to-remote-code-execution-cve-2018-20250-0

https://www.win-rar.com/whatsnew.html

https://research.checkpoint.com/extracting-code-execution-from-winrar/

https://github.com/blau72/CVE-2018-20250-WinRAR-ACE

http://www.securityfocus.com/bid/106948

http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html

Details

Source: Mitre, NVD

Published: 2019-02-05

Updated: 2025-03-13

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.93256