Open mend-bolt-for-github[bot] opened 1 year ago
Sonatype helps open source projects to set up Maven repositories on https://oss.sonatype.org/
Library home page: http://nexus.sonatype.org/oss-repository-hosting.html/zip4j
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/net/lingala/zip4j/zip4j/1.3.3/zip4j-1.3.3.jar
Dependency Hierarchy: - :x: **zip4j-1.3.3.jar** (Vulnerable Library)
Found in HEAD commit: 34ce0f6524391068ef5b880f65575eb3eb499124
Found in base branch: master
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
Publish Date: 2023-01-10
URL: CVE-2023-22899
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-2pj2-gchf-wmw7
Release Date: 2023-01-10
Fix Resolution: 2.11.3
Step up your Open Source Security Game with Mend here
CVE-2023-22899 - Medium Severity Vulnerability
Sonatype helps open source projects to set up Maven repositories on https://oss.sonatype.org/
Library home page: http://nexus.sonatype.org/oss-repository-hosting.html/zip4j
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/net/lingala/zip4j/zip4j/1.3.3/zip4j-1.3.3.jar
Dependency Hierarchy: - :x: **zip4j-1.3.3.jar** (Vulnerable Library)
Found in HEAD commit: 34ce0f6524391068ef5b880f65575eb3eb499124
Found in base branch: master
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive.
Publish Date: 2023-01-10
URL: CVE-2023-22899
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-2pj2-gchf-wmw7
Release Date: 2023-01-10
Fix Resolution: 2.11.3
Step up your Open Source Security Game with Mend here