Vulnerability Details : CVE-2017-17843
An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002.
Exploit prediction scoring system (EPSS) score for CVE-2017-17843
Probability of exploitation activity in the next 30 days: 0.62%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 76 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-17843
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST |
References for CVE-2017-17843
-
https://www.debian.org/security/2017/dsa-4070
Debian -- Security Information -- DSA-4070-1 enigmailThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
[SECURITY] [DLA 1219-1] enigmail security update
-
https://www.mail-archive.com/enigmail-users@enigmail.net/msg04280.html
Re: [Enigmail] [ANN] Enigmail v1.9.9 availableMailing List;Third Party Advisory
-
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
Vendor Advisory
-
https://lists.debian.org/debian-security-announce/2017/msg00333.html
[SECURITY] [DSA 4070-1] enigmail security updateThird Party Advisory
Products affected by CVE-2017-17843
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:enigmail:enigmail:*:*:*:*:*:*:*:*