CVE-2022-30333

What is RARLAB UnRAR?

UnRAR is the official command-line tool for extracting RAR archives, developed by RARLAB. It is used across Linux and Unix systems to unpack RAR-format compressed files, including in email security gateways, file servers, and collaboration platforms. Zimbra Collaboration Suite uses UnRAR to extract and scan RAR email attachments for malicious content — which turned CVE-2022-30333 from a file-write primitive into a complete unauthenticated RCE on Zimbra mail servers.

Overview

CVE-2022-30333 is a path traversal vulnerability (CWE-22) in RARLAB's UnRAR tool for Linux and Unix. When extracting a specially crafted RAR archive, UnRAR writes files to paths outside the intended extraction directory — including arbitrary locations on the filesystem accessible to the process. When exploited against Zimbra Collaboration Suite (which runs UnRAR as part of email scanning), an unauthenticated attacker can send a malicious RAR email to a Zimbra server and achieve remote code execution by writing a JSP web shell into the Zimbra web root.

Affected Versions

Windows UnRAR is not affected by this specific vulnerability.

Technical Details

The path traversal occurs because UnRAR on Linux/Unix does not properly sanitize archive entry filenames containing symlinks or path separators that point outside the target extraction directory. A crafted RAR archive can include a symlink entry followed by a file that follows the symlink, effectively writing to an arbitrary location.

• Exploitation via Zimbra: Zimbra processes incoming email attachments including RAR files using UnRAR for content inspection. An attacker sends a crafted RAR email to any address on the Zimbra server. Zimbra's Amavis content scanner extracts the RAR via UnRAR. The traversal writes a JSP file to the Zimbra webapps directory. The attacker then accesses the JSP via HTTP to execute commands — all without authentication.
• Authentication required: None — sending an email to any address on the server is sufficient
• User interaction required: None — Zimbra processes attachments automatically
• CVSS reflects only file write (Integrity: High; no Confidentiality or Availability impact from the traversal alone); actual RCE impact in the Zimbra context far exceeds the base score

Discovery

Discovered by Simon Scannell from SonarSource, who reported it to RARLAB and coordinated disclosure.

Exploitation Context

CISA added CVE-2022-30333 to KEV in August 2022, driven by observed exploitation against Zimbra servers. The combination of a path traversal in UnRAR + Zimbra's automatic email scanning created a zero-click RCE on a widely deployed enterprise mail platform. Zimbra is used by thousands of organizations including government agencies, and threat actors systematically targeted exposed Zimbra installations. Google TAG later attributed Zimbra-focused attacks to multiple nation-state actors in 2022.

Remediation

1. Upgrade UnRAR to version 6.12 or later on all Linux/Unix systems
2. Apply the Zimbra Collaboration Suite security patches that address this issue — Zimbra released updates bundling the fixed UnRAR
3. If immediate patching is not possible, remove or disable UnRAR processing in Zimbra's Amavis configuration as a temporary workaround
4. Review Zimbra web directories for unauthorized JSP files: find /opt/zimbra/jetty/webapps -name "*.jsp" -newer /opt/zimbra/conf/zmconfigd.cf
5. Audit Zimbra logs for unusual HTTP requests to JSP files that do not correspond to the Zimbra application