CVE Vulnerabilities

CVE-2017-17848

Improper Verification of Cryptographic Signature

Published: Dec 27, 2017 | Modified: May 16, 2019
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
HIGH

An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text.

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Software

Name Vendor Start Version End Version
Enigmail Enigmail * 1.9.9 (excluding)
Enigmail Ubuntu artful *
Enigmail Ubuntu trusty *
Enigmail Ubuntu upstream *
Enigmail Ubuntu xenial *
Enigmail Ubuntu zesty *

References