Cyber Resilience

CVE-2022-30333

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 09 May 2022

Published
09 May 2022
Modified
03 November 2025
KEV Added
09 August 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.9279 99.8th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-30333 is a high-severity Path Traversal (CWE-22) vulnerability in Rarlab Unrar. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

RARLAB UnRAR before version 6.12 on Linux and UNIX contains a directory traversal flaw that permits an archive to write files outside the intended extraction directory during unpack operations. The issue is tracked under CWE-22 and CWE-59 and carries a CVSS 3.1 score of 7.5. WinRAR and the Android RAR client are not affected.

An unauthenticated remote attacker can supply a malicious RAR archive that, when extracted by a vulnerable UnRAR binary, writes attacker-controlled content to arbitrary paths such as ~/.ssh/authorized_keys. This grants the ability to modify system files and achieve persistent access or code execution without any user interaction.

Debian and Gentoo advisories direct users to apply the upstream fix, while RARLAB published version 6.12 binaries that close the traversal vector. The referenced Zimbra disclosure further illustrates how the same flaw was chained into pre-authentication remote code execution when UnRAR processed attacker-supplied archives.

EPSS values have remained consistently high, with a recorded peak of 0.9573 and a current score of 0.9279, indicating sustained exploitation interest after public disclosure.

EU & UK References

Vulnerability details

RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.

CWE(s)
KEV Date Added
09 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rarlab
unrar
≤ 6.12
debian
debian linux
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the UnRAR 6.12+ patch that eliminates the directory-traversal flaw.

prevent

Mandates validation of archive-supplied pathnames, exactly the missing control that permits traversal writes such as ~/.ssh/authorized_keys.

prevent

Limits the damage an extracted file can cause by ensuring the UnRAR process runs with only the privileges needed for extraction.

References