Vulnerability Description
An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Enigmail | Enigmail | < 1.9.9 |
| Debian | Debian Linux | 8.0 |
References
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4070Third Party Advisory
- https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4070Third Party Advisory
- https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
FAQ
What is CVE-2017-17843?
CVE-2017-17843 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of ...
How severe is CVE-2017-17843?
CVE-2017-17843 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17843?
Check the references section above for vendor advisories and patch information. Affected products include: Enigmail Enigmail, Debian Debian Linux.