CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
50.9%
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive. This issue has been fixed in version 2.11.3.
breakingthe3ma.app
breakingthe3ma.app/files/Threema-PST22.pdf
github.com/srikanth-lingala/zip4j
github.com/srikanth-lingala/zip4j/issues/485
github.com/srikanth-lingala/zip4j/releases
github.com/srikanth-lingala/zip4j/releases/tag/v2.11.3
news.ycombinator.com/item?id=34316206
nvd.nist.gov/vuln/detail/CVE-2023-22899
threema.ch/en/blog/posts/news-alleged-weaknesses-statement