Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
References
Link | Resource |
---|---|
https://breakingthe3ma.app | Third Party Advisory |
https://breakingthe3ma.app/files/Threema-PST22.pdf | Exploit Technical Description Third Party Advisory |
https://github.com/srikanth-lingala/zip4j/issues/485 | Exploit Issue Tracking Patch Third Party Advisory |
https://github.com/srikanth-lingala/zip4j/releases | Release Notes Third Party Advisory |
https://news.ycombinator.com/item?id=34316206 | Third Party Advisory |
https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement | Vendor Advisory |
Configurations
History
30 Jan 2023, 16:24
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/srikanth-lingala/zip4j/issues/485 - Exploit, Issue Tracking, Patch, Third Party Advisory |
26 Jan 2023, 21:18
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Jan 2023, 17:51
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:zip4j_project:zip4j:*:*:*:*:*:*:*:* | |
CWE | CWE-346 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.9 |
First Time |
Zip4j Project zip4j
Zip4j Project |
|
References | (MISC) https://news.ycombinator.com/item?id=34316206 - Third Party Advisory | |
References | (MISC) https://breakingthe3ma.app - Third Party Advisory | |
References | (MISC) https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement - Vendor Advisory | |
References | (MISC) https://breakingthe3ma.app/files/Threema-PST22.pdf - Exploit, Technical Description, Third Party Advisory | |
References | (MISC) https://github.com/srikanth-lingala/zip4j/releases - Release Notes, Third Party Advisory |
10 Jan 2023, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-01-10 02:15
Updated : 2023-12-10 14:48
NVD link : CVE-2023-22899
Mitre link : CVE-2023-22899
CVE.ORG link : CVE-2023-22899
JSON object : View
Products Affected
zip4j_project
- zip4j
CWE
CWE-346
Origin Validation Error