CVE-2017-17843
First published: Fri Dec 22 2017(Updated: )
An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/enigmail | 2:2.2.4-0.2~deb10u1 2:2.1.3+ds1-4~deb10u2 2:2.2.4-0.3 | |
| Enigmail Enigmail | <1.9.9 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
- https://security-tracker.debian.org/tracker/CVE-2017-17843
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.html
- https://www.debian.org/security/2017/dsa-4070
- https://www.mail-archive.com/enigmail-users@enigmail.net/msg04280.html
- https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
- collector/security-tracker-debian
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/enigmail
- canonical/enigmail enigmail
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0