Ubuntu.comUB:CVE-2023-22899

HistoryJan 10, 2023 - 12:00 a.m.

CVE-2023-22899

2023-01-1000:00:00

ubuntu.com

123

zip4j

mac

decrypting

zip archive

threema

security vulnerability

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

50.9%

JSON

Zip4j through 2.11.2, as used in Threema and other products, does not
always check the MAC when decrypting a ZIP archive.

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchzip4j< anyUNKNOWN
ubuntu22.04noarchzip4j< anyUNKNOWN
ubuntu24.04noarchzip4j< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	zip4j	< any	UNKNOWN
ubuntu	22.04	noarch	zip4j	< any	UNKNOWN
ubuntu	24.04	noarch	zip4j	< any	UNKNOWN

References

breakingthe3ma.app

breakingthe3ma.app/files/Threema-PST22.pdf

github.com/srikanth-lingala/zip4j/releases

launchpad.net/bugs/cve/CVE-2023-22899

news.ycombinator.com/item?id=34316206

nvd.nist.gov/vuln/detail/CVE-2023-22899

security-tracker.debian.org/tracker/CVE-2023-22899

threema.ch/en/blog/posts/news-alleged-weaknesses-statement

www.cve.org/CVERecord?id=CVE-2023-22899

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

50.9%

JSON

Related for UB:CVE-2023-22899