CVE-2023-22899: 
Java vulnerability analysis and mitigation

Zip4j through version 2.11.2, as used in Threema and other products, contained a vulnerability (CVE-2023-22899) where the library did not always check the Message Authentication Code (MAC) when decrypting a ZIP archive. The vulnerability was discovered in October 2022 and publicly disclosed on January 9, 2023 (ETH Paper, NVD).

The vulnerability existed in the ZIP decryption process where the library failed to consistently verify the MAC of encrypted ZIP archives. This could potentially allow an attacker to modify the contents of encrypted ZIP files without detection. The issue was particularly concerning in applications like Threema that used Zip4j for handling encrypted backups (ETH Paper).

The vulnerability could allow an attacker with access to an encrypted ZIP archive to potentially modify its contents without the tampering being detected by the MAC verification process. In the context of Threema, this could affect the integrity of backup files (ETH Paper).

The vulnerability was fixed in Zip4j version 2.11.3, released on January 26, 2023. The fix ensures proper MAC verification during ZIP decryption (GitHub Release). Threema addressed this issue in their application updates (Threema ≥5.0 for Android and Threema ≥4.8.5 for iOS) (Threema Statement).

The vulnerability was part of a broader security analysis of Threema by ETH Zurich researchers. The discovery led to discussions in the security community about the importance of proper cryptographic validation in security-critical applications (Hacker News).