Veracode Vulnerability DatabaseVERACODE:39316Improper Signature Validation
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
46.1%
Zip4j is vulnerable to Improper Signature Validation. The vulnerability is due to improper AES Message Authentication Code (MAC) validation when the MAC signature got corrupted in an encrypted ZIP archive. This flaw can result in an attacker modifying the archive without the library detecting the archive is tampered.
References
github.com/advisories/GHSA-2pj2-gchf-wmw7
github.com/srikanth-lingala/zip4j/commit/597b31afb473a40e8252de5b5def1876bab198d3
github.com/srikanth-lingala/zip4j/commit/ddd8fdc8ad0583eb4a6172dc86c72c881485c55b
github.com/srikanth-lingala/zip4j/issues/485
security-tracker.debian.org/tracker/CVE-2023-22899
threema.ch/en/blog/posts/news-alleged-weaknesses-statement
www.ibm.com/support/pages/security-bulletin-ibm-app-connect-enterprise-affected-remote-attacker-due-zip4j-library-cve-2023-22899
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
46.1%