net.lingala.zip4j:zip4j 1.2.7 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the net.lingala.zip4j:zip4j package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Insufficient Verification of Data Authenticity net.lingala.zip4j:zip4j is an open source java library to handle zip files. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in that it does not always check the MAC when decrypting a ZIP archive. This allows attackers with knowledge of the filenames in use on the affected system, and write access to those files, to modify the contents of the archives without the changes being detected. How to fix Insufficient Verification of Data Authenticity? Upgrade `net.lingala.zip4j:zip4j` to version 2.11.3 or higher.	[0,2.11.3)
M NULL Pointer Dereference net.lingala.zip4j:zip4j is an open source java library to handle zip files. Affected versions of this package are vulnerable to NULL Pointer Dereference. A `ZipFile` can be constructed with a `null` `File` reference, leading to a null pointer exception on this line when an operation is carried. How to fix NULL Pointer Dereference? Upgrade `net.lingala.zip4j:zip4j` to version 2.7.0 or higher.	[,2.7.0)
M Insecure Randomness net.lingala.zip4j:zip4j is an open source java library to handle zip files. Affected versions of this package are vulnerable to Insecure Randomness. Both `StandardEncrypter` and `AES encrypter` uses `j.l.Random` to generate randomness for encryption operations instead of `SecureRandom`. How to fix Insecure Randomness? Upgrade `net.lingala.zip4j:zip4j` to version 2.6.3 or higher.	[,2.6.3)
M Arbitrary File Write via Archive Extraction (Zip Slip) net.lingala.zip4j:zip4j is a open source java library to handle zip files. Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip). Successful exploitation of this vulnerability can result in remote command execution. How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? Upgrade `net.lingala.zip4j:zip4j` to version 1.3.3 or higher.	[0,1.3.3)

Vulnerability

Vulnerable Version

Insufficient Verification of Data Authenticity

net.lingala.zip4j:zip4j is an open source java library to handle zip files.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in that it does not always check the MAC when decrypting a ZIP archive. This allows attackers with knowledge of the filenames in use on the affected system, and write access to those files, to modify the contents of the archives without the changes being detected.

How to fix Insufficient Verification of Data Authenticity?

Upgrade net.lingala.zip4j:zip4j to version 2.11.3 or higher.

[0,2.11.3)

NULL Pointer Dereference

net.lingala.zip4j:zip4j is an open source java library to handle zip files.

Affected versions of this package are vulnerable to NULL Pointer Dereference. A ZipFile can be constructed with a null File reference, leading to a null pointer exception on this line when an operation is carried.

How to fix NULL Pointer Dereference?

Upgrade net.lingala.zip4j:zip4j to version 2.7.0 or higher.

[,2.7.0)

Insecure Randomness

net.lingala.zip4j:zip4j is an open source java library to handle zip files.

Affected versions of this package are vulnerable to Insecure Randomness. Both StandardEncrypter and AES encrypter uses j.l.Random to generate randomness for encryption operations instead of SecureRandom.

How to fix Insecure Randomness?

Upgrade net.lingala.zip4j:zip4j to version 2.6.3 or higher.

[,2.6.3)

Arbitrary File Write via Archive Extraction (Zip Slip)

net.lingala.zip4j:zip4j is a open source java library to handle zip files.

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip). Successful exploitation of this vulnerability can result in remote command execution.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade net.lingala.zip4j:zip4j to version 1.3.3 or higher.

[0,1.3.3)

net.lingala.zip4j:zip4j@1.2.7 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?