CVE-2017-17847 — HIGH (7.5)

Q: How severe is CVE-2017-17847?

CVE-2017-17847 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-17847?

Check the references section above for vendor advisories and patch information. Affected products include: Enigmail Enigmail, Debian Debian Linux.

Vulnerability Description

An issue was discovered in Enigmail before 1.9.9. Signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message, aka TBE-01-021. This is demonstrated by an e-mail message with an attachment that is a signed e-mail message in message/rfc822 format.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Enigmail	Enigmail	< 1.9.9
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-347

References

https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Vendor Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
https://sourceforge.net/p/enigmail/bugs/709/Third Party Advisory
https://www.debian.org/security/2017/dsa-4070Third Party Advisory
https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20Vendor Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
https://lists.debian.org/debian-security-announce/2017/msg00333.htmlThird Party Advisory
https://sourceforge.net/p/enigmail/bugs/709/Third Party Advisory
https://www.debian.org/security/2017/dsa-4070Third Party Advisory
https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html

FAQ

What is CVE-2017-17847?

CVE-2017-17847 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Enigmail before 1.9.9. Signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entir...

How severe is CVE-2017-17847?

CVE-2017-17847 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-17847?

Check the references section above for vendor advisories and patch information. Affected products include: Enigmail Enigmail, Debian Debian Linux.