GHSA-m6cj-93v6-cvr5

Source

https://github.com/advisories/GHSA-m6cj-93v6-cvr5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-m6cj-93v6-cvr5/GHSA-m6cj-93v6-cvr5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m6cj-93v6-cvr5

Aliases

CVE-2022-23596

Published

2022-02-01T00:47:23Z

Modified

2023-11-08T04:08:24.452888Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Junrar vulnerable to infinite loop via extracting carefully crafted RAR archive

Details

Impact

A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant users.

Patches

The problem is partially patched in 7.4.1

Workarounds

None

References

https://github.com/junrar/junrar/issues/73

https://github.com/junrar/junrar/issues/81

Database specific

{
    "nvd_published_at": "2022-02-01T12:15:00Z",
    "github_reviewed_at": "2022-01-31T21:24:36Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400",
        "CWE-835"
    ]
}

References

Affected packages

Maven / com.github.junrar:junrar

Package

Name: com.github.junrar:junrar; View open source insights on deps.dev
Purl: pkg:maven/com.github.junrar/junrar

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.4.1

Affected versions

0.*

0.7

1.*

1.0.0

1.0.1

2.*

2.0.0

3.*

3.0.0

3.1.0

4.*

4.0.0

5.*

5.0.0

6.*

6.0.0

6.0.1

7.*

7.0.0

7.1.0

7.2.0

7.3.0

7.4.0