Vulnerability Description
An issue was discovered in Enigmail before 1.9.9. Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp), aka TBE-01-001.
CVSS Score
7.3
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Enigmail | Enigmail | < 1.9.9 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Third Party AdvisoryVendor Advisory
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4070Third Party Advisory
- https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Third Party AdvisoryVendor Advisory
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4070Third Party Advisory
- https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
FAQ
What is CVE-2017-17845?
CVE-2017-17845 is a vulnerability with a CVSS score of 7.3 (HIGH). An issue was discovered in Enigmail before 1.9.9. Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp), aka TBE-01-001.
How severe is CVE-2017-17845?
CVE-2017-17845 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17845?
Check the references section above for vendor advisories and patch information. Affected products include: Enigmail Enigmail, Debian Debian Linux.