cbcvebase.
CVE-2022-30333
published 2022-05-09

CVE-2022-30333: RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a…

PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-08-30
Exploited in the wild
EPSS
98.98%
99.9th percentile
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianrar< rar 2:6.20~b1-0.1 (bookworm)rar 2:6.20~b1-0.1 (bookworm)
debianunrar-nonfree< rar 2:6.20~b1-0.1 (bookworm)rar 2:6.20~b1-0.1 (bookworm)
rarlabrar>= 0 < 2:6.20-0.1~deb11u12:6.20-0.1~deb11u1
rarlabrar>= 0 < 2:6.20~b1-0.12:6.20~b1-0.1
rarlabrar>= 0 < 2:6.20~b1-0.12:6.20~b1-0.1
rarlabrar>= 0 < 2:6.20~b1-0.12:6.20~b1-0.1
rarlabrar>= 0 < 2:6.23-1~20.04.12:6.23-1~20.04.1
rarlabrar>= 0 < 2:6.23-1~22.04.12:6.23-1~22.04.1
rarlabunrar< 6.126.12

Detection & IOCsextracted from sources · hover to see the quote

path~/.ssh/authorized_keys
urlhttps://www.rarlab.com/rar/rarlinux-x32-612.tar.gz
  • The exploit works by embedding a Windows-style symbolic link in a RAR archive; when extracted on Linux, the symlink is not properly validated and can point anywhere on the filesystem. A second file in the archive with the same name is then written to the symlink destination — monitor for unexpected file writes outside the extraction directory during unRAR operations.
  • In Zimbra-targeted exploitation, a malicious RAR file is delivered via email; successful exploitation plants a JSP-based backdoor in the public web directory. Monitor Zimbra web directories for unexpected JSP file creation.
  • Vulnerable scope: Zimbra Collaboration 9.0.0 Patch 24 and earlier, and Zimbra Collaboration 8.8.15 Patch 31 and earlier, when UnRAR version 6.11 or earlier is installed. Use these version strings to identify unpatched assets.
  • The vulnerability is fixed in UnRAR version 6.12 (open source version 6.1.7). Detect unpatched systems by identifying hosts running UnRAR < 6.12 on Linux/UNIX.
  • CVE-2022-30333 has been exploited in the wild by the Chinese state-sponsored group RedHotel as part of initial access operations targeting public-facing applications. Correlate exploitation attempts against Zimbra with RedHotel C2 infrastructure.
  • ·This vulnerability only affects UnRAR on Linux and UNIX platforms. WinRAR and Android RAR are explicitly unaffected.
  • ·The libclamunrar (ClamAV) package is also affected and requires a separate update; patching UnRAR alone may not be sufficient if ClamAV is used for automated RAR scanning.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vulncheck7.5HIGH
cisa7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.