CVE-2018-20250
Published: 05 February 2019
Summary
CVE-2018-20250 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Rarlab Winrar. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
In WinRAR versions prior to and including 5.61, a path traversal vulnerability exists in the handling of the ACE archive format within UNACEV2.dll. By manipulating the filename field with specific patterns, an attacker can cause the extraction routine to ignore the user-specified destination folder and treat the supplied path as absolute, corresponding to CWE-36 and CWE-22.
The flaw can be exploited by an attacker who supplies a crafted ACE archive to a local user. With low attack complexity and no privileges required, successful exploitation allows arbitrary file writes outside the intended extraction directory, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 7.8 score.
Public references document working proof-of-concept code, a Metasploit module, and detailed technical analysis demonstrating remote code execution via malicious archives, confirming the issue has been weaponized in public tooling.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-12813
Vulnerability details
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus…
more
treating the filename as an absolute path.
- CWE(s)
- KEV Date Added
- 15 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input (archive filename fields) to reject path traversal sequences before extraction occurs.
Requires automated detection and blocking of malicious code delivered via crafted archive files that attempt unauthorized writes.
Requires integrity verification of software and files to detect unauthorized modifications introduced by malicious archive extraction.