CVE-2023-22899 Information

Description

Zip4j through 2.11.2 as used in Threema and other products does not always check the MAC when decrypting a ZIP archive.

Reference

https://breakingthe3ma.app/files/Threema-PST22.pdf https://news.ycombinator.com/item?id=34316206 https://github.com/srikanth-lingala/zip4j/releases https://breakingthe3ma.app https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement