#VU74270 Improper Verification of Cryptographic Signature in zip4j - CVE-2023-22899

Cybersecurity Help s.r.o.

Published: 2023-03-31

Vulnerability identifier: #VU74270

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-22899

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
zip4j
Client/Desktop applications / Software for archiving

Vendor: Srikanth Reddy Lingala

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to zip4j does not always perform validation of MAC when decrypting a ZIP archive. A remote attacker can submit a malicious archive or tamper with data inside one.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

zip4j: 2.0 - 2.11.2

External links
https://breakingthe3ma.app/files/Threema-PST22.pdf
https://news.ycombinator.com/item?id=34316206
https://github.com/srikanth-lingala/zip4j/releases
https://breakingthe3ma.app
https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
https://github.com/srikanth-lingala/zip4j/issues/485

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Migration Toolkit for Applications

Multiple vulnerabilities in Middleware Common Libraries and Tools

Multiple vulnerabilities in IBM Cloud Transformation Advisor

Improper verification of cryptographic signature in IBM App Connect Enterprise

Multiple vulnerabilities in Migration Toolkit for Runtimes

Multiple vulnerabilities in Oracle Access Manager

Multiple vulnerabilities in Axway SecureTransport (February 2023)

Missing MAC validation in Zip4j