Vulnerability Description
An issue was discovered in Enigmail before 1.9.9. A remote attacker can obtain cleartext content by sending an encrypted data block (that the attacker cannot directly decrypt) to a victim, and relying on the victim to automatically decrypt that block and then send it back to the attacker as quoted text, aka the TBE-01-005 "replay" issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Enigmail | Enigmail | < 1.9.9 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Third Party AdvisoryVendor Advisory
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4070Third Party Advisory
- https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Third Party AdvisoryVendor Advisory
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4070Third Party Advisory
- https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
FAQ
What is CVE-2017-17844?
CVE-2017-17844 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An issue was discovered in Enigmail before 1.9.9. A remote attacker can obtain cleartext content by sending an encrypted data block (that the attacker cannot directly decrypt) to a victim, and relying...
How severe is CVE-2017-17844?
CVE-2017-17844 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17844?
Check the references section above for vendor advisories and patch information. Affected products include: Enigmail Enigmail, Debian Debian Linux.