Miggo Logo
Miggo Vulnerability Database
CVE-2023-22899

CVE-2023-22899: Zip4j Origin Validation Error

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-22899
GHSA ID
GHSA-2pj2-gchf-wmw7
EPSS Score
0.37755%
CWE
CWE-346
Published
1/10/2023
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.lingala.zip4j:zip4jmaven<= 2.11.22.11.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2023-22899) explicitly states that Zip4j failed to check the MAC during decryption. The MAC is critical for verifying the integrity and authenticity of encrypted data. The AES decryption process in Zip4j (handled by AesDecrypter) would logically include MAC validation. The patch in v2.11.3 likely added this check, confirming the vulnerability resided in the decryption flow where MAC verification was omitted. The Threema analysis also directly implicates the ZIP library's MAC validation failure, aligning with this function's responsibility.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Zip*j t*rou** *.**.*, *s us** in T*r**m* *n* ot**r pro*u*ts, *o*s not *lw*ys ****k t** M** w**n ***ryptin* * ZIP *r**iv*. T*is issu* **s ***n *ix** in v*rsion *.**.*.

Reasoning

T** vuln*r**ility (*V*-****-*****) *xpli*itly st*t*s t**t `Zip*j` **il** to ****k t** M** *urin* ***ryption. T** M** is *riti**l *or v*ri*yin* t** int**rity *n* *ut**nti*ity o* *n*rypt** **t*. T** `**S` ***ryption `pro**ss` in `Zip*j` (**n*l** *y `**