CVE-2017-17843

Sažetak

An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002.

Reference

https://www.debian.org/security/2017/dsa-4070
https://lists.debian.org/debian-security-announce/2017/msg00333.html
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
https://www.mail-archive.com/enigmail-users%40enigmail.net/msg04280.html

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

07-11-2023 - 02:41

Objavljeno

27-12-2017 - 17:08