Junrar is an open source java RAR archive library. In affected versions A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant users. The problem is patched in 7.4.1. There are no known workarounds and users are advised to upgrade as soon as possible.
CVE-2022-23596 - High Severity Vulnerability
rar decompression library in plain java
Library home page: https://github.com/junrar/junrar
Path to dependency file: /fs-agent/pom.xml
Path to vulnerable library: /2/repository/com/github/junrar/junrar/1.0.1/junrar-1.0.1.jar
Dependency Hierarchy: - :x: **junrar-1.0.1.jar** (Vulnerable Library)
Found in base branch: master
Junrar is an open source java RAR archive library. In affected versions A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant users. The problem is patched in 7.4.1. There are no known workarounds and users are advised to upgrade as soon as possible.
Publish Date: 2022-02-01
URL: CVE-2022-23596
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-m6cj-93v6-cvr5
Release Date: 2022-02-01
Fix Resolution: 3.0.0