Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-38831
CVE-2023-38831:
WinRAR vulnerability analysis and mitigation
Overview
CVE-2023-38831 is a critical vulnerability in RARLAB WinRAR versions before 6.23 that allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The vulnerability was discovered in July 2023 but had been actively exploited in the wild since April 2023. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, allowing malicious executable content to be processed during an attempt to access only the benign file (NVD, BleepingComputer).
Technical details
The vulnerability exploits a logical flaw in WinRAR's ShellExecute function when processing crafted archives. When a user double-clicks on a benign file (e.g., 'poc.png_'), WinRAR extracts both the selected file and files inside a matched directory to a temporary directory. Due to path normalization that removes appended spaces, and Windows' ShellExecute behavior with invalid extensions, the system executes malicious content instead of the intended benign file. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Google TAG).
Impact
The vulnerability has been exploited to target cryptocurrency and stock trading forums, with at least 130 confirmed trader devices infected. The attacks led to the deployment of various malware families including DarkMe, GuLoader, and Remcos RAT, enabling attackers to gain remote access to infected devices, perform keylogging, screen capturing, file management, and potentially steal cryptocurrency assets (BleepingComputer).
Mitigation and workarounds
The vulnerability has been patched in WinRAR version 6.23, released on August 2, 2023. Users are strongly urged to upgrade to this version immediately to protect against this and other security issues. Google's Safe Browsing and Gmail services now block files containing this exploit. Organizations and users are advised to keep their software fully up-to-date and install security updates as soon as they become available (Google TAG).
Community reactions
The discovery of this vulnerability has raised concerns about the widespread use of WinRAR and its lack of auto-update functionality, which may leave millions of users vulnerable for years. The incident has also highlighted the risks associated with using proprietary software without regular security updates (HelpNet Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management