HIGH 7.8
KEV
CVE-2018-20250
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
CVSS v3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
93.5%
percentile 99.8%
CISA Known Exploited Vulnerability
- Added to KEV
- 2022-02-15
- Remediation deadline
- 2022-08-15
- Required action
- Apply updates per vendor instructions.
- Ransomware
- Yes — known ransomware campaign
Affected tracked apps
Vulnerable CPE configurations
| Vendor | Product | Platform | Versions | CPE 2.3 URI |
|---|---|---|---|---|
| rarlab | winrar | Windows | ≤5.61 | cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:* |