Vulnerability Description
An issue was discovered in Enigmail before 1.9.9. Regular expressions are exploitable for Denial of Service, because of attempts to match arbitrarily long strings, aka TBE-01-003.
CVSS Score
7.5
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Enigmail | Enigmail | < 1.9.9 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Third Party AdvisoryVendor Advisory
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4070Third Party Advisory
- https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
- https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Third Party AdvisoryVendor Advisory
- https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
- https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4070Third Party Advisory
- https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
FAQ
What is CVE-2017-17846?
CVE-2017-17846 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Enigmail before 1.9.9. Regular expressions are exploitable for Denial of Service, because of attempts to match arbitrarily long strings, aka TBE-01-003.
How severe is CVE-2017-17846?
CVE-2017-17846 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17846?
Check the references section above for vendor advisories and patch information. Affected products include: Enigmail Enigmail, Debian Debian Linux.