CVE-2023-22899

low-risk
Published 2023-01-10

Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.

Do I need to act?

-
0.26% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Zip4J

Affected Vendors

Zip4J Project

References (12)

Third Party Advisory https://breakingthe3ma.app
Exploit https://breakingthe3ma.app/files/Threema-PST22.pdf
Exploit https://github.com/srikanth-lingala/zip4j/issues/485
Release Notes https://github.com/srikanth-lingala/zip4j/releases
Third Party Advisory https://news.ycombinator.com/item?id=34316206
Vendor Advisory https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
Third Party Advisory https://breakingthe3ma.app
Exploit https://breakingthe3ma.app/files/Threema-PST22.pdf
Exploit https://github.com/srikanth-lingala/zip4j/issues/485
Release Notes https://github.com/srikanth-lingala/zip4j/releases
Third Party Advisory https://news.ycombinator.com/item?id=34316206
Vendor Advisory https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal