A vulnerability (CVE-2022-30333) has been identified in the unrar utility, which allows, when unpacking a specially designed archive, to overwrite files outside the current directory, as far as user rights allow. The issue was fixed in the releases of RAR 6.12 and unrar 6.1.7. The vulnerability appears in versions for Linux, FreeBSD and macOS, but does not affect versions for Android and Windows.
The problem is caused by the lack of proper checking of the β/..β sequence in the file paths specified in the archive, which allows the unpacking to go beyond the boundaries of the base directory. For example, by placing β../.ssh/authorized_keysβ in the archive, an attacker can try to overwrite the userβs file β~/.ssh/authorized_keysβ at the time of unpacking.
Source: opennet.ru