5.9

CVE-2023-22899

Exploit

Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zip4j ProjectZip4j Version <= 2.11.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.16% 0.375
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://breakingthe3ma.app
Third Party Advisory
https://breakingthe3ma.app/files/Threema-PST22.pdf
Third Party Advisory
Exploit
Technical Description
https://github.com/srikanth-lingala/zip4j/issues/485
Patch
Third Party Advisory
Exploit
Issue Tracking
https://github.com/srikanth-lingala/zip4j/releases
Third Party Advisory
Release Notes