unacev2.dll - App-Request
There is a vulnerability in the old version of unacev2.dll:
Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) | McAfee Blogs
0patch Blog: No Source Code For a 14-Year Old Vulnerable DLL? No Problem. (CVE-2018-20250)
Total Commander offers a download for the fixed version:
Total Commander - Mailing
File name and path: C:\prg\unacev2_fixed\UNACEV2.DLL Product Name: UNACE - freeware ACE extraction component Internal Name: UnAceV2.Dll Original Filename: UnAceV2.Dll File Description: UNACE Dynamic Link Library Company: ACE Compression Software Legal Copyright: ACE Compression Software, 2000-2019 Legal Trademarks: ACE Compression Software, 2000-2019 Comments: File Version String: 22.214.171.124 File Version: 126.96.36.199 Product Version String: 188.8.131.52 Product Version: 184.108.40.206
This is the version with vulnerability:
File name and path: C:\totalcmd\UNACEV2.DLL Product Name: UNACE - freeware ACE extraction component Internal Name: UnAceV2.Dll Original Filename: UnAceV2.Dll File Description: UNACE Dynamic Link Library Company: ACE Compression Software Legal Copyright: ACE Compression Software, 2000-2005 Legal Trademarks: ACE Compression Software, 2000-2005 Comments: File Version String: 220.127.116.11 File Version: 18.104.22.168 Product Version String: 22.214.171.124 Product Version: 126.96.36.199
Tom VulnDetect Team Member last edited by
This is a very interesting case indeed.
While VulnDetect has the capability of detecting libraries, then this is beyond the current scope of VulnDetect.
However, due to the fact that this is being actively exploited and I can see that there is a LOT of software, including Avira AntiVir, WinRAR, XnView, PeaZip, Bandizip, SpeedCommander, and tonnes of software I never heard about, that utilizes it and sounds like it could provide attack vectors, I will add it for now.
But do not expect us to support libraries in general, anytime soon.
Later in the week, when the second iteration of our bundling is going live, then I will let the security state of unacev2.dll affect the state of the parent program.