CVE-2022-24615
denial of service attack vulnerability in zip4j (Maven)
What is CVE-2022-24615 About?
This vulnerability in zip4j versions up to 2.9.1 can lead to a denial of service attack. Specially crafted ZIP files cause the library to throw uncaught exceptions, resulting in application crashes. Exploitation is simple, requiring only the provision of a malicious ZIP file.
Affected Software
Technical Details
The vulnerability resides in the parsing logic of the zip4j library. When the library attempts to process a malformed or specially crafted ZIP file, it encounters conditions that are not properly handled within its exception management framework. This leads to the throwing of various uncaught exceptions, which are not gracefully managed by the application utilizing the zip4j library. Consequently, the application terminates unexpectedly, resulting in a crash and a denial of service condition. The attack vector involves providing such a malicious ZIP file to any service that uses the vulnerable zip4j library for file processing.
What is the Impact of CVE-2022-24615?
Successful exploitation may allow attackers to cause application crashes, lead to service disruption, and potentially render the affected system unavailable.
What is the Exploitability of CVE-2022-24615?
Exploiting this vulnerability is of low complexity, as it involves supplying a specially crafted ZIP file to an application that uses the vulnerable zip4j library. No authentication or special privileges are generally required, as the vulnerability is triggered during file parsing, which can often be initiated by unauthenticated users if the application accepts uploaded files. This is typically a remote vulnerability, given that ZIP files are frequently transferred over networks. The primary risk factors include any server-side application that processes user-supplied ZIP archives without sufficient input validation and exception handling.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-24615?
Available Upgrade Options
- net.lingala.zip4j:zip4j
- <2.10.0 → Upgrade to 2.10.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-24615
- https://github.com/srikanth-lingala/zip4j/issues/377
- https://osv.dev/vulnerability/GHSA-q62h-jw38-24vh
- https://github.com/srikanth-lingala/zip4j/issues/418
- https://github.com/srikanth-lingala/zip4j/issues/377
- https://github.com/srikanth-lingala/zip4j
- https://github.com/srikanth-lingala/zip4j/issues/418
What are Similar Vulnerabilities to CVE-2022-24615?
Similar Vulnerabilities: CVE-2020-5397 , CVE-2020-8037 , CVE-2021-39130 , CVE-2021-37574 , CVE-2020-14986
