CyberSec.Space Logo
Back to CVE Browser

CVE-2018-20250

Known Exploited (CISA KEV)HIGH
7.8
CVSS Severity Score
EPSS Score33.7130%
EPSS Percentile87.83th
PublishedFeb 5, 2019
Last ModifiedOct 31, 2025

Vulnerability Description

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

Affected Platforms (CPE)

πŸ“¦
Rarlab

Winrar

<= 5.61

References & Advisories

πŸ”— http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html
πŸ”— http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace
πŸ”— http://www.securityfocus.com/bid/106948
πŸ”— https://github.com/blau72/CVE-2018-20250-WinRAR-ACE
πŸ”— https://research.checkpoint.com/extracting-code-execution-from-winrar/
πŸ”— https://www.exploit-db.com/exploits/46552/
πŸ”— https://www.exploit-db.com/exploits/46756/
πŸ”— https://www.win-rar.com/whatsnew.html

Related Vulnerabilities

CVE-2004-125410.0

WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing a file wit...

CVE-2008-714410.0

Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have unknown impact and attack vectors related to crafted (1) AC...

CVE-2006-38459.3

Stack-based buffer overflow in lzh.fmt in WinRAR 3.00 through 3.60 beta 6 allows remote attackers to execute arbitrary code via a ...

CVE-2018-202537.8

In WinRAR versions prior to and including 5.60, There is an out-of-bounds write vulnerability during parsing of a crafted LHA / LZ...