CVE-2014-9983
Published: 4 June 2017
Directory Traversal exists in RAR 4.x and 5.x because an unpack operation follows any symlinks, including symlinks contained in the archive. This allows remote attackers to write to arbitrary files via a crafted archive.
Notes
| Author | Note |
|---|---|
| sbeattie | PoC in debian bug report |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
rar Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
(2:5.3.b2-1)
|
|
| cosmic |
Not vulnerable
(2:5.3.b2-1)
|
|
| disco |
Not vulnerable
(2:5.3.b2-1)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2:5.3.b2-1)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |