Published: 02/05/2018 Updated: 24/08/2020

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote malicious users to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.

Vulnerable Product	Search on Vulmon	Subscribe to Product
7-zip 7-zip

Debian Bug report logs - #897674 p7zip-rar: CVE-2018-10115 Package: src:p7zip-rar; Maintainer for src:p7zip-rar is Robert Luberda <robert@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 4 May 2018 06:03:01 UTC Severity: grave Tags: security, upstream Found in version p7zip-rar/1602-1 ...

An uninitialized memory security issue has been found in the RAR decoder component of 7-Zip before 1805, resulting in arbitrary code execution ...

Critical Infrastructure Sectors: Healthcare and Public Health

7Zip This is a Linux version of the 7zip open-source file archiver It is a fork of p7zip which can be downloaded from sourceforgenet A fix has been applied for the vulnerability CVE-2018-10115, and these changes are also available on the p7zip 'Open Discussion' forum here

CWE-665 CWE-908 https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/http://www.securitytracker.com/id/1040832 http://www.securityfocus.com/bid/104132 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674 https://nvd.nist.gov https://www.cisa.gov/uscert/ics/advisories/icsma-21-187-01 https://security.archlinux.org/CVE-2018-10115

CVE-2018-10115

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect