Moderate severityNVD Advisory· Published Jan 10, 2023· Updated Apr 9, 2025
CVE-2023-22899
CVE-2023-22899
Description
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.lingala.zip4j:zip4jMaven | < 2.11.3 | 2.11.3 |
Affected products
2Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-2pj2-gchf-wmw7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22899ghsaADVISORY
- breakingthe3ma.appghsaWEB
- breakingthe3ma.app/files/Threema-PST22.pdfghsaWEB
- github.com/srikanth-lingala/zip4j/issues/485ghsaWEB
- github.com/srikanth-lingala/zip4j/releasesghsaWEB
- github.com/srikanth-lingala/zip4j/releases/tag/v2.11.3ghsaWEB
- news.ycombinator.com/itemghsaWEB
- threema.ch/en/blog/posts/news-alleged-weaknesses-statementghsaWEB
News mentions
0No linked articles in our index yet.