Vulnerability Details : CVE-2017-17846
An issue was discovered in Enigmail before 1.9.9. Regular expressions are exploitable for Denial of Service, because of attempts to match arbitrarily long strings, aka TBE-01-003.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2017-17846
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:enigmail:enigmail:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-17846
0.51%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-17846
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-17846
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-17846
-
https://www.debian.org/security/2017/dsa-4070
Debian -- Security Information -- DSA-4070-1 enigmailThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
[SECURITY] [DLA 1219-1] enigmail security update
-
https://www.mail-archive.com/enigmail-users@enigmail.net/msg04280.html
Re: [Enigmail] [ANN] Enigmail v1.9.9 availableMailing List;Third Party Advisory
-
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
Third Party Advisory;Vendor Advisory
-
https://lists.debian.org/debian-security-announce/2017/msg00333.html
[SECURITY] [DSA 4070-1] enigmail security updateThird Party Advisory
Jump to