net.lingala.zip4j:zip4j@2.6.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the net.lingala.zip4j:zip4j package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Insufficient Verification of Data Authenticity

net.lingala.zip4j:zip4j is an open source java library to handle zip files.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in that it does not always check the MAC when decrypting a ZIP archive. This allows attackers with knowledge of the filenames in use on the affected system, and write access to those files, to modify the contents of the archives without the changes being detected.

How to fix Insufficient Verification of Data Authenticity?

Upgrade net.lingala.zip4j:zip4j to version 2.11.3 or higher.

[0,2.11.3)
  • M
NULL Pointer Dereference

net.lingala.zip4j:zip4j is an open source java library to handle zip files.

Affected versions of this package are vulnerable to NULL Pointer Dereference. A ZipFile can be constructed with a null File reference, leading to a null pointer exception on this line when an operation is carried.

How to fix NULL Pointer Dereference?

Upgrade net.lingala.zip4j:zip4j to version 2.7.0 or higher.

[,2.7.0)