Lucene search

K

Veracode Vulnerability DatabaseVERACODE:39316

HistoryFeb 17, 2023 - 7:54 a.m.

Improper Signature Validation

2023-02-1707:54:49

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

16

zip4j

improper signature

validation

aes

message authentication code

mac

vulnerable

vulnerability

encrypted zip archive

flaw

attacker

library

tampered

EPSS

0.001

Percentile

50.9%

Zip4j is vulnerable to Improper Signature Validation. The vulnerability is due to improper AES Message Authentication Code (MAC) validation when the MAC signature got corrupted in an encrypted ZIP archive. This flaw can result in an attacker modifying the archive without the library detecting the archive is tampered.

References

github.com/advisories/GHSA-2pj2-gchf-wmw7

github.com/srikanth-lingala/zip4j/commit/597b31afb473a40e8252de5b5def1876bab198d3

github.com/srikanth-lingala/zip4j/commit/ddd8fdc8ad0583eb4a6172dc86c72c881485c55b

github.com/srikanth-lingala/zip4j/issues/485

security-tracker.debian.org/tracker/CVE-2023-22899

threema.ch/en/blog/posts/news-alleged-weaknesses-statement

www.ibm.com/support/pages/security-bulletin-ibm-app-connect-enterprise-affected-remote-attacker-due-zip4j-library-cve-2023-22899

EPSS

0.001

Percentile

50.9%

Related for VERACODE:39316

redhatcve1 github1 prion1 ubuntucve1 cvelist1 osv2 cve1 ibm3 nvd1 debiancve1 redhat2 nessus1 oracle2