In the utility unrar Identified vulnerability ( cve-2022 -30333 ), which allows, when unpacking a specially designed archive, rewrite files outside the current catalog, as far as the user rights allow. The problem is eliminated in the releases rar 6.12 and unrar 6.1.7 . Vulnerability is manifested in versions for Linux, FreeBSD and MacOS, but does not affect the assembly for Android and Windows.
The problem is caused by lack of proper verification The sequences “/..” in the file routes indicated in the archive, which allows you to go beyond the boundaries of the basic catalog when unpacking. For example, by posting in the archive “../.SSH/AUTHORIZED_KEYS” The attacker may try to rewrite the user file “~/.SSH/AUTHORIZED_KEYS” at the time of unpacking.