Описание
Zip4j Origin Validation Error
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive. This issue has been fixed in version 2.11.3.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-22899
- https://github.com/srikanth-lingala/zip4j/issues/485
- https://breakingthe3ma.app
- https://breakingthe3ma.app/files/Threema-PST22.pdf
- https://github.com/srikanth-lingala/zip4j/releases
- https://github.com/srikanth-lingala/zip4j/releases/tag/v2.11.3
- https://news.ycombinator.com/item?id=34316206
- https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
Пакеты
Наименование
net.lingala.zip4j:zip4j
maven
Затронутые версииВерсия исправления
<= 2.11.2
2.11.3
Связанные уязвимости
CVSS3: 5.9
ubuntu
около 3 лет назад
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
CVSS3: 5.9
redhat
около 3 лет назад
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
CVSS3: 5.9
nvd
около 3 лет назад
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
CVSS3: 5.9
debian
около 3 лет назад
Zip4j through 2.11.2, as used in Threema and other products, does not ...