RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NDebian
OSDebian10.0Linux Kernel
OSLinuxwszystkie wersjeOpengroup Unix
OSOpengroupwszystkie wersjeRarlab Unrar
APPRarlab< 6.12
CISA KEV — detailsi
- Vendori
- RARLAB
- Producti
- UnRAR
- Added to KEVi
- August 9, 2022
- Remediation deadline (US Federal)i
- August 30, 2022(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply updates per vendor instructions.
RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation.
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP