CVE-2019-12269

Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PGP message, an attacker can cause the product to display a correctly signed message indication, but display different unauthenticated text.

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Software

Name	Vendor	Start Version	End Version
Enigmail	Enigmail	*	2.0.11 (excluding)
Enigmail	Ubuntu	bionic	*
Enigmail	Ubuntu	cosmic	*
Enigmail	Ubuntu	disco	*
Enigmail	Ubuntu	esm-apps/bionic	*
Enigmail	Ubuntu	esm-apps/xenial	*
Enigmail	Ubuntu	trusty	*
Enigmail	Ubuntu	xenial	*

https://cwe.mitre.org/data/definitions/463.html
https://cwe.mitre.org/data/definitions/475.html

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00061.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVNTEF3WSOOQYKMIPEH7F77UPXES5BU5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CYWBJHSBBLAHKMRWDWH2XXQDYAGDHB5I/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GHC5WDQ47FQSL5CTGQUYIHVC3RNZ7UH5/
https://sourceforge.net/p/enigmail/bugs/983/
https://www.enigmail.net/index.php/en/download/changelog

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-12269
CWE	https://cwe.mitre.org/data/definitions/347.html

Improper Verification of Cryptographic Signature

Weakness

Affected Software

Related Attack Patterns

References