CVE-2023-38831
Published: 23 August 2023
Summary
CVE-2023-38831 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Rarlab Winrar. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-2 (Baseline Configuration).
Deeper analysis
RARLAB WinRAR versions prior to 6.23 contain a path-handling flaw that permits arbitrary code execution. When a user opens or previews a seemingly benign file such as a .JPG inside a ZIP archive, the application also processes a folder that shares the same name as the file; any executable content placed inside that folder is executed with the privileges of the user. The vulnerability is tracked as CWE-345 and CWE-351 and carries a CVSS 3.1 score of 7.8.
An attacker can deliver a crafted ZIP archive via email, download, or removable media. Once the recipient attempts to view the innocuous file, the hidden folder contents run automatically, granting the attacker remote code execution on the local system without further user interaction beyond opening the archive.
WinRAR 6.23 and subsequent releases correct the folder-name collision logic. Security advisories and vendor guidance therefore recommend immediate upgrade; organizations should also verify that older builds are removed from endpoints and build pipelines.
The issue was exploited in the wild from April through October 2023, including campaigns attributed to government-backed actors that targeted cryptocurrency trading accounts. The current EPSS of 0.9386, near its recorded peak of 0.9395, reflects sustained attacker interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42604
Vulnerability details
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG…
more
file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.
- CWE(s)
- KEV Date Added
- 24 August 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (WinRAR 6.23+) that eliminates the path-traversal flaw allowing code execution from the crafted ZIP.
Enforces an approved baseline that includes only patched versions of WinRAR, preventing vulnerable instances from remaining on systems.
Malicious-code protection mechanisms can block or alert on the executable payload that is automatically launched when the benign file is viewed inside the archive.