CVE-2023-22899

MEDIUM

Zip4j < 2.11.2 - Origin Validation Error

Title source: rule

Description

Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.

References (6)

[Third Party Advisory] https://breakingthe3ma.app

[Exploit, Technical Description, Third Party Advisory] https://breakingthe3ma.app/files/Threema-PST22.pdf

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://github.com/srikanth-lingala/zip4j/issues/485

[Release Notes, Third Party Advisory] https://github.com/srikanth-lingala/zip4j/releases

[Third Party Advisory] https://news.ycombinator.com/item?id=34316206

[Vendor Advisory] https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement

Scores

CVSS v3 5.9

EPSS 0.0026

EPSS Percentile 49.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-346

Status published

Affected Products (2)

zip4j_project/zip4j < 2.11.2

net.lingala.zip4j/zip4j < 2.11.3Maven

Timeline

Published Jan 10, 2023

Tracked Since Feb 18, 2026