CVE-2022-23596 — Junrar vulnerable to infinite loop via extracting carefully crafted RAR archive

Description

### Impact A carefully crafted RAR archive can trigger an infinite loop while extracting said archive. The impact depends solely on how the application uses the library, and whether files can be provided by malignant users. ### Patches The problem is partially patched in 7.4.1 ### Workarounds None ### References https://github.com/junrar/junrar/issues/73 https://github.com/junrar/junrar/issues/81

How to fix CVE-2022-23596

To remediate CVE-2022-23596, upgrade the affected package to a fixed version below.

—upgrade to 7.4.1 or later

Is CVE-2022-23596 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 7.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23596
PATCHgithub.com/junrar/junrar
WEBgithub.com/junrar/junrar/commit/7b16b3d90b91445fd6af0adfed22c07413d4fab7
WEBgithub.com/junrar/junrar/issues/73
WEB