VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-2643

CVE-2004-2643

Description

Directory traversal in Microsoft cabarc allows overwriting files via '../' in CAB archive filenames.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal in Microsoft cabarc allows overwriting files via '../' in CAB archive filenames.

Vulnerability

The vulnerability is a directory traversal flaw in cabarc, a command-line tool for managing CAB archives. It allows writing files to arbitrary locations via ../ sequences in filenames within a CAB archive. The affected version is unspecified in the available references, but the tool is associated with Microsoft.

Exploitation

An attacker can craft a CAB archive containing files with ../ in their names. When a user or system processes the archive using cabarc, the tool follows the directory traversal and writes files outside the intended extraction directory. No authentication or special privileges are required; only the ability to deliver the malicious CAB file to the target.

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the system, potentially leading to code execution or system compromise. The level of access is limited by the privileges of the user running cabarc.

Mitigation

No patch or fix is mentioned in the available references. Users should avoid opening CAB archives from untrusted sources with cabarc. Microsoft may have addressed this in later versions; consult vendor documentation.

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Microsoft/Cabarc2 versions
    cpe:2.3:a:microsoft:cabarc:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:microsoft:cabarc:*:*:*:*:*:*:*:*
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

8

News mentions

0

No linked articles in our index yet.