Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive. This issue has been fixed in version 2.11.3.
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-22899
- https://breakingthe3ma.app
- https://breakingthe3ma.app/files/Threema-PST22.pdf
- https://github.com/srikanth-lingala/zip4j/releases
- https://news.ycombinator.com/item?id=34316206
- https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
- https://github.com/srikanth-lingala/zip4j/issues/485
- https://github.com/srikanth-lingala/zip4j/releases/tag/v2.11.3
- https://github.com/advisories/GHSA-2pj2-gchf-wmw7