7.5

CVE-2018-12019

Exploit

EPSS 0.49%
Published 13.06.2018 23:29:00
Last modified 21.11.2024 03:44:25
Source cve@mitre.org
Teams watchlist Login
Open Login

The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids.

Affected products Warnungen 0 Metrics 3 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Enigmail ≫ Enigmail Version < 2.0.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.49%	0.644

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html

Third Party Advisory

VDB Entry

http://seclists.org/fulldisclosure/2019/Apr/38

Third Party Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2019/04/30/4

Third Party Advisory

Mailing List

https://github.com/RUB-NDS/Johnny-You-Are-Fired

https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf

http://openwall.com/lists/oss-security/2018/06/13/10

Third Party Advisory

Mailing List

https://www.enigmail.net/index.php/en/download/changelog

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2018-12019

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-12019

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-12019

EUVD