CVE-2023-22899: Origin Validation Error

January 10, 2023 (updated January 30, 2023)

Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.

References

breakingthe3ma.app/
breakingthe3ma.app/files/Threema-PST22.pdf
github.com/srikanth-lingala/zip4j/releases
news.ycombinator.com/item?id=34316206
nvd.nist.gov/vuln/detail/CVE-2023-22899
threema.ch/en/blog/posts/news-alleged-weaknesses-statement

Detect and mitigate CVE-2023-22899 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →