CVE-2020-9308 — Vulnetix

CVE-2020-9308 PUBLISHED CVSS 8.800000190734863 HIGH

archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.

EPSS 0.70% · 72.4th percentile

Risk Scores

CVSS 3.1

8.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score

0.70%

72.4th percentile

Affected Products

Vendor	Product	Versions
fedoraproject	fedora	31, 32
libarchive	libarchive	3.4.0
n/a	n/a	*
canonical	ubuntu_linux	19.10, 16.04, 18.04

Exploit Intelligence

https://github.com/libarchive/libarchive/pull/1326 (circl)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20459 (circl)
https://github.com/libarchive/libarchive/pull/1326/commits/94821008d6eea81e315c5881cdf739202961040a (circl)
GLSA-202003-28 (circl)
USN-4293-1 (circl)
FEDORA-2020-94211d0a7d (circl)
FEDORA-2020-d8278fe24d (circl)

Timeline

Feb 20, 2020 CVE Published
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Jul 21, 2021 CVE Updated
Aug 24, 2021 EPSS Score
Dec 27, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 28, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Jul 3, 2022 EPSS Score
Sep 4, 2022 EPSS Score

References

https://github.com/libarchive/libarchive/pull/1326 url
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20459 url
https://github.com/libarchive/libarchive/pull/1326/commits/94821008d6eea81e315c5881cdf739202961040a url
GLSA-202003-28 vendor-advisory
USN-4293-1 vendor-advisory
FEDORA-2020-94211d0a7d vendor-advisory
FEDORA-2020-d8278fe24d vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2020-9308 advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6OTE7GWASH2ZOVG5H3HEN5PR6B3KF7JB url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J76F7VU7HC3GBKG5SAKTRBOFOI3RGO6M url
https://usn.ubuntu.com/4293-1 url

Open in Interactive Console →