CVE-2022-48579 — Link Following in Unrar

CWE-59 — Link Following9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 77.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rarlab Unrar

Timeline

PublishedAug 7

Latest updateMar 12

Description

UnRAR before 6.2.3 allows extraction of files outside of the destination folder via symlink chains.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDrarlab/unrar< 6.2.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

unrar-nonfree vulnerabilities↗2025-03-12

▶

CVEList

CVE-2022-48579: UnRAR before 6↗2023-08-07

▶

GHSA

GHSA-pg3x-qpq9-p4v6: UnRAR before 6↗2023-08-07

▶

OSV

CVE-2022-48579: UnRAR before 6↗2023-08-07

▶

📋Vendor Advisories

Ubuntu

UnRAR vulnerabilities↗2025-03-12

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Outside In Core (unrar) — CVE-2022-48579↗2024-04-15

▶

Microsoft

UnRAR before 6.2.3 allows extraction of files outside of the destination folder via symlink chains.↗2023-08-08

▶

Debian

CVE-2022-48579: unrar-nonfree - UnRAR before 6.2.3 allows extraction of files outside of the destination folder ...↗2022

▶