CVE-2020-9308

moderate-risk

Published 2020-02-20

archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.

Do I need to act?

0.70% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (6)

Libarchive

Ubuntu Linux

Fedora

Affected Vendors

Canonical Fedoraproject Libarchive

References (14)

Issue Tracking https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20459

Patch https://github.com/libarchive/libarchive/pull/1326

Patch https://github.com/libarchive/libarchive/pull/1326/commits/94821008d6eea81e315c5...

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202003-28

Third Party Advisory https://usn.ubuntu.com/4293-1/

Issue Tracking https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20459

Patch https://github.com/libarchive/libarchive/pull/1326

Patch https://github.com/libarchive/libarchive/pull/1326/commits/94821008d6eea81e315c5...

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202003-28

Third Party Advisory https://usn.ubuntu.com/4293-1/

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 2/34 · Minimal

Exposure 13/34 · Low