Vulnerability CVE-2017-12938

Vulnerability Name:

CVE-2017-12938 (CCN-130756)

Assigned:

2015-08-15

Published:

2015-08-15

Updated:

2017-08-29

Summary:

UnRAR before 5.5.7 allows remote attackers to bypass a directory-traversal protection mechanism via vectors involving a symlink to the . directory, a symlink to the .. directory, and a regular file.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
2.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-22

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2017-12938

Source: CCN
Type: oss-sec Mailing List, Thu, 15 Jun 2017 17:33:48 -0400
UnRAR: directory traversal + memory safety bugs

Source: MISC
Type: Exploit, Mailing List, Third Party Advisory
http://seclists.org/oss-sec/2017/q3/290

Source: CCN
Type: UnRAR Web site
UnRAR

Source: XF
Type: UNKNOWN
unrar-cve201712938-dir-traversal(130756)

Vulnerable Configuration:

Configuration 1:

cpe:/a:rarlab:unrar:*:*:*:*:*:*:*:* (Version <= 5.5.6)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:51946	P	Security update for expat (Important)	2022-11-07
oval:org.opensuse.security:def:201712938	V	CVE-2017-12938	2022-09-02
oval:org.opensuse.security:def:29461	P	Security update for xorg-x11-server (Important)	2021-12-14
oval:org.opensuse.security:def:31719	P	Security update for glib-networking (Important)	2021-12-13
oval:org.opensuse.security:def:34611	P	Security update for bcm43xx-firmware (Important)	2021-12-13
oval:org.opensuse.security:def:30136	P	Security update for xen (Moderate)	2021-10-07
oval:org.opensuse.security:def:30124	P	Security update for Mesa (Moderate)	2021-09-16
oval:org.opensuse.security:def:31266	P	Security update for transfig (Moderate)	2021-09-16
oval:org.opensuse.security:def:30125	P	Security update for transfig (Moderate)	2021-09-16
oval:org.opensuse.security:def:33714	P	Security update for openssl-1_1 (Low)	2021-09-09
oval:org.opensuse.security:def:31675	P	Security update for bind (Moderate)	2021-08-30
oval:org.opensuse.security:def:34521	P	Security update for spectre-meltdown-checker (Moderate)	2021-08-27
oval:org.opensuse.security:def:34518	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:30118	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:126760	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:87450	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:60341	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:55941	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:32986	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:23958	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:89442	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:84199	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:58809	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:51639	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:30238	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:127157	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:88179	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:82620	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:56061	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:33706	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:26109	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:5096	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:85715	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:59529	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:31251	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:88493	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:83325	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:57074	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:33964	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:29413	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:125591	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:86136	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:59787	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:55236	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:31672	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:23651	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:89184	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:83445	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:57495	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:31209	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-06-18
oval:org.opensuse.security:def:34464	P	Security update for freeradius-server (Moderate)	2021-06-11
oval:org.opensuse.security:def:33670	P	Security update for qemu (Important)	2021-06-10
oval:org.opensuse.security:def:30210	P	Security update for ucode-intel (Important)	2021-06-10
oval:org.opensuse.security:def:36448	P	libgadu-1.8.2-1.24.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36406	P	fuse-devel-2.8.7-0.11.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:33646	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:31614	P	Security update for java-1_7_0-openjdk (Moderate)	2021-04-29
oval:org.opensuse.security:def:31613	P	Security update for tomcat (Important)	2021-04-29
oval:org.opensuse.security:def:33104	P	Security update for tar (Low)	2021-03-29
oval:org.opensuse.security:def:31353	P	Security update for the Linux Kernel (Important)	2021-03-09
oval:org.opensuse.security:def:28949	P	Security update for wpa_supplicant (Important)	2021-03-09
oval:org.opensuse.security:def:32969	P	Security update for python36 (Important)	2021-02-01
oval:org.opensuse.security:def:31653	P	Security update for sudo (Important)	2021-01-26
oval:org.opensuse.security:def:29308	P	Security update for spice (Important)	2020-12-16
oval:org.opensuse.security:def:31565	P	Security update for openssl (Important)	2020-12-11
oval:org.opensuse.security:def:28868	P	Security update for python (Important)	2020-12-11
oval:org.opensuse.security:def:35657	P	LibVNCServer-0.9.1-154.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35768	P	libsndfile-1.0.20-2.4.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35665	P	acpid-1.0.6-91.16.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35608	P	libxml2-2.7.6-0.1.37 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35724	P	kdebase3-runtime-3.5.10-20.31 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35624	P	pam_krb5-2.3.1-47.10.15 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35549	P	ft2demos-2.3.7-25.9 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35696	P	file-32bit-4.24-43.19.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:34910	P	Security update for dosfstools (Moderate)	2020-12-01
oval:org.opensuse.security:def:30575	P	Security update for mozilla-nspr (Moderate)	2020-12-01
oval:org.opensuse.security:def:34134	P	Security update for ntp (Moderate)	2020-12-01
oval:org.opensuse.security:def:29223	P	Security update for php53 (Important)	2020-12-01
oval:org.opensuse.security:def:35141	P	Security update for kernel-source (Important)	2020-12-01
oval:org.opensuse.security:def:30834	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:34392	P	Security update for unrar (Moderate)	2020-12-01
oval:org.opensuse.security:def:34230	P	Security update for php5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:29515	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:32357	P	Security update for squid3 (Important)	2020-12-01
oval:org.opensuse.security:def:32890	P	kde4-kgreeter-plugins on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:35389	P	Security update for openldap2 (Important)	2020-12-01
oval:org.opensuse.security:def:30937	P	Security update for glib2 (Important)	2020-12-01
oval:org.opensuse.security:def:30900	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:29621	P	Security update for boost	2020-12-01
oval:org.opensuse.security:def:33199	P	logwatch on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31117	P	Security update for krb5 (Important)	2020-12-01
oval:org.opensuse.security:def:34828	P	Security update for axis (Moderate)	2020-12-01
oval:org.opensuse.security:def:30340	P	Security update for unrar (Moderate)	2020-12-01
oval:org.opensuse.security:def:33501	P	Security update for Mozilla XULrunner	2020-12-01
oval:org.opensuse.security:def:28880	P	Security update for augeas (Moderate)	2020-12-01
oval:org.opensuse.security:def:34942	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:34909	P	Security update for dnsmasq (Moderate)	2020-12-01
oval:org.opensuse.security:def:30488	P	Security update for dhcp	2020-12-01
oval:org.opensuse.security:def:29166	P	Security update for mailman (Important)	2020-12-01
oval:org.opensuse.security:def:35005	P	Security update for gnutls	2020-12-01
oval:org.opensuse.security:def:30785	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:34352	P	Security update for strongswan (Moderate)	2020-12-01
oval:org.opensuse.security:def:34146	P	Security update for opensc (Moderate)	2020-12-01
oval:org.opensuse.security:def:32879	P	gvim on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:35299	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:30893	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:30899	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:29603	P	Security update for axis (Moderate)	2020-12-01
oval:org.opensuse.security:def:30985	P	Security update for inn (Moderate)	2020-12-01
oval:org.opensuse.security:def:34770	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:30303	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:33344	P	Security update for openldap2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28869	P	Security update for xorg-x11-libXp	2020-12-01
oval:org.opensuse.security:def:34916	P	Security update for elfutils (Low)	2020-12-01
oval:org.opensuse.security:def:30431	P	Security update for xorg-x11-server (Moderate)	2020-12-01
oval:org.opensuse.security:def:33607	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:29080	P	Security update for curl (Important)	2020-12-01
oval:org.opensuse.security:def:34921	P	Security update for evolution-data-server	2020-12-01
oval:org.opensuse.security:def:30730	P	Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:34135	P	Security update for ntp (Moderate)	2020-12-01
oval:org.opensuse.security:def:32878	P	guestfs-data on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:35242	P	Security update for poppler	2020-12-01
oval:org.opensuse.security:def:30873	P	Security update for expat (Moderate)	2020-12-01
oval:org.opensuse.security:def:34366	P	Security update for tcpdump (Moderate)	2020-12-01
oval:org.opensuse.security:def:29564	P	Security update for OpenEXR (Moderate)	2020-12-01
oval:org.opensuse.security:def:32396	P	Security update for unrar (Moderate)	2020-12-01
oval:org.opensuse.security:def:31575	P	Security update for sudo	2020-12-01
oval:org.opensuse.security:def:30911	P	Security update for freetype2	2020-12-01
oval:org.opensuse.security:def:29665	P	Security update for cyrus-imapd (Important)	2020-12-01
oval:org.opensuse.security:def:33256	P	socat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34877	P	Security update for curl	2020-12-01
oval:org.opensuse.security:def:30342	P	Security update for unzip (Moderate)	2020-12-01
oval:org.opensuse.security:def:33558	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:31509	P	Security update for python27 (Moderate)	2020-12-01
oval:org.opensuse.security:def:34986	P	Security update for giflib (Moderate)	2020-12-01
oval:com.ubuntu.bionic:def:2017129380000000	V	CVE-2017-12938 on Ubuntu 18.04 LTS (bionic) - medium.	2017-08-18
oval:com.ubuntu.artful:def:201712938000	V	CVE-2017-12938 on Ubuntu 17.10 (artful) - medium.	2017-08-18
oval:com.ubuntu.xenial:def:201712938000	V	CVE-2017-12938 on Ubuntu 16.04 LTS (xenial) - medium.	2017-08-18
oval:com.ubuntu.xenial:def:2017129380000000	V	CVE-2017-12938 on Ubuntu 16.04 LTS (xenial) - medium.	2017-08-18
oval:com.ubuntu.bionic:def:201712938000	V	CVE-2017-12938 on Ubuntu 18.04 LTS (bionic) - medium.	2017-08-18
oval:com.ubuntu.disco:def:2017129380000000	V	CVE-2017-12938 on Ubuntu 19.04 (disco) - medium.	2017-08-18
oval:com.ubuntu.cosmic:def:201712938000	V	CVE-2017-12938 on Ubuntu 18.10 (cosmic) - medium.	2017-08-18
oval:com.ubuntu.cosmic:def:2017129380000000	V	CVE-2017-12938 on Ubuntu 18.10 (cosmic) - medium.	2017-08-18
oval:com.ubuntu.trusty:def:201712938000	V	CVE-2017-12938 on Ubuntu 14.04 LTS (trusty) - medium.	2017-08-18

BACK