Vulnerability Details : CVE-2011-3201
GNOME Evolution before 3.2.3 allows user-assisted remote attackers to read arbitrary files via the attachment parameter to a mailto: URL, which attaches the file to the email.
Vulnerability category: Information leak
Products affected by CVE-2011-3201
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.3.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.11:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.22.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.24:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.12:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.22.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.24.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.26.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.28.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.26.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.32.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.30.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-3201
0.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-3201
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2011-3201
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-3201
-
https://git.gnome.org/browse/evolution/commit/?id=588c410718068388f8ce0004a71c104a4c89cce3
Bug 657374 - mailto: attachment parameter can lead to accidental data exfiltration (588c4107) · Commits · GNOME / evolution · GitLabPatch;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0516.html
RHSA-2013:0516 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/82450
GNOME Evolution mailto information disclosure CVE-2011-3201 Vulnerability Report
-
https://bugzilla.gnome.org/show_bug.cgi?id=657374
Bug 657374 – mailto: attachment parameter can lead to accidental data exfiltrationIssue Tracking
-
https://bugzilla.redhat.com/show_bug.cgi?id=733504
733504 – (CVE-2011-3201) CVE-2011-3201 evolution: mailto URL scheme attachment header improper input validationPatch;Issue Tracking;Vendor Advisory
-
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
Oracle Bulletin Board Update - January 2015Third Party Advisory
-
https://git.gnome.org/browse/evolution/commit/?id=0a478083fa31aec0059bc6feacc054226fe55b56
NEWS update for 3.2.3 release. (0a478083) · Commits · GNOME / evolution · GitLabPatch;Vendor Advisory
Jump to