{"id":"CVE-2023-22899","details":"Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.","aliases":["GHSA-2pj2-gchf-wmw7"],"modified":"2026-04-02T08:47:46.087001Z","published":"2023-01-10T02:15:09.997Z","references":[{"type":"ADVISORY","url":"https://news.ycombinator.com/item?id=34316206"},{"type":"ADVISORY","url":"https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement"},{"type":"ADVISORY","url":"https://breakingthe3ma.app"},{"type":"ADVISORY","url":"https://github.com/srikanth-lingala/zip4j/releases"},{"type":"FIX","url":"https://github.com/srikanth-lingala/zip4j/issues/485"},{"type":"EVIDENCE","url":"https://breakingthe3ma.app/files/Threema-PST22.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/srikanth-lingala/zip4j","events":[{"introduced":"0"},{"last_affected":"942fe577d6028b1744483beb5eec46699580e5cc"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.11.2"}]}}],"versions":["v2.0","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.2","v2.1.3","v2.1.4","v2.10.0","v2.11.0","v2.11.1","v2.11.2","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.3.0","v2.3.1","v2.3.2","v2.4.0","v2.5.0","v2.5.1","v2.5.2","v2.6.0","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.7.0","v2.8.0","v2.9.0","v2.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22899.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}