Back to search
CVE-2018-12019
Published: Jun 13, 2018
Modified: Aug 5, 2024
PUBLISHED
Description
The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
http://openwall.com/lists/oss-security/2018/06/13/10
x_refsource_MISC
https://www.enigmail.net/index.php/en/download/changelog
x_refsource_MISC
[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)
mailing-list
x_refsource_MLIST
20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients
mailing-list
x_refsource_FULLDISC
https://github.com/RUB-NDS/Johnny-You-Are-Fired
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now