This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Enigmail First view 2005-10-18
Product Enigmail Last view 2019-08-05
Version 0.84.2 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:enigmail:enigmail

Activity : Overall

Related : CVE

  Date Alert Description
6.5 2019-08-05 CVE-2019-14664

In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, he unknowingly leaks the plaintext of the encrypted message part(s) back to the attacker. This attack variant bypasses protection mechanisms implemented after the "EFAIL" attacks.

7.5 2019-05-21 CVE-2019-12269

Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PGP message, an attacker can cause the product to display a "correctly signed" message indication, but display different unauthenticated text.

6.5 2019-02-11 CVE-2018-15586

Enigmail before 2.0.6 is prone to to OpenPGP signatures being spoofed for arbitrary messages using a PGP/INLINE signature wrapped within a specially crafted multipart HTML email.

7.5 2018-06-13 CVE-2018-12019

The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids.

7.5 2017-12-27 CVE-2017-17848

An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text.

7.5 2017-12-27 CVE-2017-17847

An issue was discovered in Enigmail before 1.9.9. Signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message, aka TBE-01-021. This is demonstrated by an e-mail message with an attachment that is a signed e-mail message in message/rfc822 format.

7.5 2017-12-27 CVE-2017-17846

An issue was discovered in Enigmail before 1.9.9. Regular expressions are exploitable for Denial of Service, because of attempts to match arbitrarily long strings, aka TBE-01-003.

7.3 2017-12-27 CVE-2017-17845

An issue was discovered in Enigmail before 1.9.9. Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp), aka TBE-01-001.

6.5 2017-12-27 CVE-2017-17844

An issue was discovered in Enigmail before 1.9.9. A remote attacker can obtain cleartext content by sending an encrypted data block (that the attacker cannot directly decrypt) to a victim, and relying on the victim to automatically decrypt that block and then send it back to the attacker as quoted text, aka the TBE-01-005 "replay" issue.

5.9 2017-12-27 CVE-2017-17843

An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002.

5 2007-03-06 CVE-2007-1264

Enigmail 0.94.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Enigmail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.

7.8 2007-02-23 CVE-2006-5877

The enigmail extension before 0.94.2 does not properly handle large, encrypted file e-mail attachments, which allows remote attackers to cause a denial of service (crash), as demonstrated with Mozilla Thunderbird.

5 2005-10-18 CVE-2005-3256

The key selection dialogue in Enigmail before 0.92.1 can incorrectly select a key with a user ID that does not have additional information, which allows parties with that key to decrypt the message.

CWE : Common Weakness Enumeration

%idName
55% (5) CWE-347 Improper Verification of Cryptographic Signature
11% (1) CWE-338 Use of Cryptographically Weak PRNG
11% (1) CWE-326 Inadequate Encryption Strength
11% (1) CWE-319 Cleartext Transmission of Sensitive Information
11% (1) CWE-20 Improper Input Validation

Open Source Vulnerability Database (OSVDB)

id Description
45258 enigmail Extension Encrypted File Attachment Handling DoS
33502 Multiple Mail Client --status-fd GnuPG Invocation Spoofed Content Weakness
19486 Enigmail Crafted Key Import Encryption Subversion

OpenVAS Exploits

id Description
2009-10-10 Name : SLES9: Security update for Mozilla Mail
File : nvt/sles9p5016950.nasl
2009-03-23 Name : Ubuntu Update for enigmail vulnerability USN-427-1
File : nvt/gb_ubuntu_USN_427_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 889-1 (enigmail)
File : nvt/deb_889_1.nasl

Nessus® Vulnerability Scanner

id Description
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-a4bb79ea75.nasl - Type: ACT_GATHER_INFO
2018-06-25 Name: The remote Fedora host is missing a security update.
File: fedora_2018-fd67c19256.nasl - Type: ACT_GATHER_INFO
2017-12-26 Name: The remote Debian host is missing a security update.
File: debian_DLA-1219.nasl - Type: ACT_GATHER_INFO
2017-12-26 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4070.nasl - Type: ACT_GATHER_INFO
2007-11-10 Name: The remote Ubuntu host is missing a security-related patch.
File: ubuntu_USN-427-1.nasl - Type: ACT_GATHER_INFO
2007-11-10 Name: The remote Ubuntu host is missing a security-related patch.
File: ubuntu_USN-432-1.nasl - Type: ACT_GATHER_INFO
2007-03-12 Name: The remote Mandrake Linux host is missing one or more security updates.
File: mandrake_MDKSA-2007-059.nasl - Type: ACT_GATHER_INFO
2006-10-14 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-889.nasl - Type: ACT_GATHER_INFO
2006-01-15 Name: The remote Mandrake Linux host is missing one or more security updates.
File: mandrake_MDKSA-2005-226.nasl - Type: ACT_GATHER_INFO
2006-01-15 Name: The remote Ubuntu host is missing one or more security-related patches.
File: ubuntu_USN-211-1.nasl - Type: ACT_GATHER_INFO