Vulnerability Details : CVE-2007-1558
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.
Products affected by CVE-2007-1558
- cpe:2.3:a:apop_protocol:apop_protocol:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2007-1558
8.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2007-1558
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
2.6
|
LOW | AV:N/AC:H/Au:N/C:P/I:N/A:N |
4.9
|
2.9
|
NIST |
References for CVE-2007-1558
-
https://issues.rpath.com/browse/RPL-1232
-
http://www.redhat.com/support/errata/RHSA-2007-0401.html
Support
-
http://www.mandriva.com/security/advisories?name=MDKSA-2007:131
Mandriva
-
http://www.securityfocus.com/archive/1/464477/30/0/threaded
Vendor Advisory
-
http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
Fetchmail - Kostenloser Open Source Mail Daemon
-
http://www.vupen.com/english/advisories/2007/1466
Site en construction
-
http://www.vupen.com/english/advisories/2007/1480
Site en construction
-
http://www.redhat.com/support/errata/RHSA-2007-0402.html
Support
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857
The Slackware Linux Project: Slackware Security Advisories
-
http://docs.info.apple.com/article.html?artnum=305530
-
http://www.securityfocus.com/archive/1/471455/100/0/threaded
-
http://www.vupen.com/english/advisories/2008/0082
Site en construction
-
http://www.redhat.com/support/errata/RHSA-2007-0386.html
Support
-
http://www.redhat.com/support/errata/RHSA-2009-1140.html
Support
-
http://www.mandriva.com/security/advisories?name=MDKSA-2007:105
Mandriva
-
http://www.securityfocus.com/archive/1/471842/100/0/threaded
-
http://www.openwall.com/lists/oss-security/2009/08/15/1
oss-security - mailfilter 0.8.2 fixes CVE-2007-1558 (APOP)
-
http://www.redhat.com/support/errata/RHSA-2007-0344.html
Support
-
http://lists.apple.com/archives/security-announce/2007/May/msg00004.html
-
ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc
-
http://www.ubuntu.com/usn/usn-520-1
USN-520-1: fetchmail vulnerabilities | Ubuntu security notices | Ubuntu
-
http://www.securityfocus.com/archive/1/464569/100/0/threaded
-
http://www.vupen.com/english/advisories/2007/2788
Site en construction
-
http://sylpheed.sraoss.jp/en/news.html
Sylpheed - lightweight and user-friendly e-mail client
-
http://www.redhat.com/support/errata/RHSA-2007-0385.html
Support
-
http://www.securityfocus.com/bid/23257
Patch
-
http://www.vupen.com/english/advisories/2007/1467
Site en construction
-
http://www.mandriva.com/security/advisories?name=MDKSA-2007:107
Mandriva
-
http://www.ubuntu.com/usn/usn-469-1
USN-469-1: Thunderbird vulnerabilities | Ubuntu security notices | Ubuntu
-
http://balsa.gnome.org/download.html
-
http://www.securityfocus.com/archive/1/470172/100/200/threaded
-
https://issues.rpath.com/browse/RPL-1231
-
http://www.debian.org/security/2007/dsa-1305
[SECURITY] [DSA 1305-1] New icedove packages fix several vulnerabilitiesPatch
-
http://www.debian.org/security/2007/dsa-1300
[SECURITY] [DSA 1300-1] New iceape packages fix several vulnerabilities
-
http://www.mandriva.com/security/advisories?name=MDKSA-2007:119
Mandriva
-
http://www.mandriva.com/security/advisories?name=MDKSA-2007:113
Mandriva
-
http://www.vupen.com/english/advisories/2007/1994
Site en construction
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782
404 Not Found
-
http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html
ANNOUNCE: balsa-2.3.17 released
-
http://www.novell.com/linux/security/advisories/2007_36_mozilla.html
404 Page Not Found | SUSE
-
http://www.claws-mail.org/news.php
Claws Mail - The user-friendly, lightweight, and fast e-mail client
-
http://www.openwall.com/lists/oss-security/2009/08/18/1
oss-security - Re: CVE-2007-1558 update (was: mailfilter 0.8.2 fixes CVE-2007-1558 (APOP))
-
http://www.vupen.com/english/advisories/2007/1939
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://www.novell.com/linux/security/advisories/2007_14_sr.html
Security - Support | SUSE
-
http://sourceforge.net/forum/forum.php?forum_id=683706
Page not found - SourceForge.net
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
-
http://www.securitytracker.com/id?1018008
Access Denied
-
http://security.gentoo.org/glsa/glsa-200706-06.xml
Mozilla products: Multiple vulnerabilities (GLSA 200706-06) — Gentoo security
-
http://www.us-cert.gov/cas/techalerts/TA07-151A.html
Page Not Found | CISAUS Government Resource
-
http://www.redhat.com/support/errata/RHSA-2007-0353.html
Support
-
http://www.securityfocus.com/archive/1/471720/100/0/threaded
-
http://www.mozilla.org/security/announce/2007/mfsa2007-15.html
Security Vulnerability in APOP Authentication — MozillaPatch;Vendor Advisory
-
https://issues.rpath.com/browse/RPL-1424
-
http://www.vupen.com/english/advisories/2007/1468
Site en construction
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
Jump to