CVE-2022-30333
Published: 09 May 2022
Summary
CVE-2022-30333 is a high-severity Path Traversal (CWE-22) vulnerability in Rarlab Unrar. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
RARLAB UnRAR before version 6.12 on Linux and UNIX contains a directory traversal flaw that permits an archive to write files outside the intended extraction directory during unpack operations. The issue is tracked under CWE-22 and CWE-59 and carries a CVSS 3.1 score of 7.5. WinRAR and the Android RAR client are not affected.
An unauthenticated remote attacker can supply a malicious RAR archive that, when extracted by a vulnerable UnRAR binary, writes attacker-controlled content to arbitrary paths such as ~/.ssh/authorized_keys. This grants the ability to modify system files and achieve persistent access or code execution without any user interaction.
Debian and Gentoo advisories direct users to apply the upstream fix, while RARLAB published version 6.12 binaries that close the traversal vector. The referenced Zimbra disclosure further illustrates how the same flaw was chained into pre-authentication remote code execution when UnRAR processed attacker-supplied archives.
EPSS values have remained consistently high, with a recorded peak of 0.9573 and a current score of 0.9279, indicating sustained exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52276
Vulnerability details
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
- CWE(s)
- KEV Date Added
- 09 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the UnRAR 6.12+ patch that eliminates the directory-traversal flaw.
Mandates validation of archive-supplied pathnames, exactly the missing control that permits traversal writes such as ~/.ssh/authorized_keys.
Limits the damage an extracted file can cause by ensuring the UnRAR process runs with only the privileges needed for extraction.