Summary
| Detail | |||
|---|---|---|---|
| Vendor | Gnome | First view | 2005-08-12 |
| Product | Evolution | Last view | 2021-02-01 |
| Version | 2.3.3 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:gnome:evolution | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 3.3 | 2021-02-01 | CVE-2021-3349 | ** DISPUTED ** GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior. |
| 6.5 | 2020-04-17 | CVE-2020-11879 | An issue was discovered in GNOME Evolution before 3.35.91. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as demonstrated by an attach=. value. |
| 7.5 | 2020-02-06 | CVE-2013-4166 | The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and earlier and Evolution Data Server 3.9.5 and earlier does not properly select the GPG key to use for email encryption, which might cause the email to be encrypted with the wrong key and allow remote attackers to obtain sensitive information. |
| 6.5 | 2019-02-11 | CVE-2018-15587 | GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. |
| 9.8 | 2018-07-20 | CVE-2016-10727 | camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly. |
| 9.8 | 2018-06-15 | CVE-2018-12422 | ** DISPUTED ** addressbook/backends/ldap/e-book-backend-ldap.c in Evolution-Data-Server in GNOME Evolution through 3.29.2 might allow attackers to trigger a Buffer Overflow via a long query that is processed by the strcat function. NOTE: the software maintainer disputes this because "the code had computed the required string length first, and then allocated a large-enough buffer on the heap." |
| 4.3 | 2013-03-08 | CVE-2011-3201 | GNOME Evolution before 3.2.3 allows user-assisted remote attackers to read arbitrary files via the attachment parameter to a mailto: URL, which attaches the file to the email. |
| 2.1 | 2009-05-14 | CVE-2009-1631 | The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files. |
| 6.8 | 2008-03-05 | CVE-2008-0072 | Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field. |
| 5 | 2007-03-06 | CVE-2007-1266 | Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection. |
| 2.6 | 2006-06-02 | CVE-2006-2789 | Evolution 2.2.x and 2.3.x in GNOME 2.7 and 2.8, when "load images if sender in addressbook" is enabled, allows remote attackers to cause a denial of service (persistent crash) via a crafted "From" header that triggers an assert error in camel-internet-address.c when a null pointer is used. |
| 5 | 2006-02-02 | CVE-2006-0528 | The cairo library (libcairo), as used in GNOME Evolution and possibly other products, allows remote attackers to cause a denial of service (persistent client crash) via an attached text file that contains "Content-Disposition: inline" in the header, and a very long line in the body, which causes the client to repeatedly crash until the e-mail message is manually removed, possibly due to a buffer overflow, as demonstrated using an XML attachment. |
| 7.5 | 2005-08-12 | CVE-2005-2550 | Format string vulnerability in Evolution 1.4 through 2.3.6.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the calendar entries such as task lists, which are not properly handled when the user selects the Calendars tab. |
| 7.5 | 2005-08-12 | CVE-2005-2549 | Multiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) full vCard data, (2) contact data from remote LDAP servers, or (3) task list data from remote servers. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 37% (3) | CWE-200 | Information Exposure |
| 12% (1) | CWE-347 | Improper Verification of Cryptographic Signature |
| 12% (1) | CWE-345 | Insufficient Verification of Data Authenticity |
| 12% (1) | CWE-264 | Permissions, Privileges, and Access Controls |
| 12% (1) | CWE-134 | Uncontrolled Format String |
| 12% (1) | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 54679 | Evolution Mailer Component .evolution Directory Permission Weakness Local Inf... |
| 42804 | Evolution mail/em-format.c emf_multipart_encrypted Function Crafted Encrypted... |
| 33502 | Multiple Mail Client --status-fd GnuPG Invocation Spoofed Content Weakness |
| 31771 | GNOME Crafted Header camel-internet-address.c Null Pointer DoS |
| 22923 | GNOME Evolution Mail Client Inline Text File Content-Disposition DoS |
| 18690 | GNOME Evolution Calendar Tab Task List Data Format String |
| 18689 | GNOME Evolution Task List Data Remote Format String |
| 18688 | GNOME Evolution LDAP Server Contact Data Remote Format String |
| 18687 | GNOME Evolution vCard Attachment Format String |
OpenVAS Exploits
| id | Description |
|---|---|
| 2009-05-19 | Name : Evolution Mail Client Information Disclosure Vulnerability File : nvt/secpod_evolution_info_disc_vuln.nasl |
| 2009-04-09 | Name : Mandriva Update for evolution MDVSA-2008:063 (evolution) File : nvt/gb_mandriva_MDVSA_2008_063.nasl |
| 2009-03-23 | Name : Ubuntu Update for evolution vulnerability USN-583-1 File : nvt/gb_ubuntu_USN_583_1.nasl |
| 2009-03-06 | Name : RedHat Update for evolution RHSA-2008:0177-01 File : nvt/gb_RHSA-2008_0177-01_evolution.nasl |
| 2009-02-27 | Name : CentOS Update for evolution CESA-2008:0177 centos4 i386 File : nvt/gb_CESA-2008_0177_evolution_centos4_i386.nasl |
| 2009-02-27 | Name : CentOS Update for evolution CESA-2008:0177 centos4 x86_64 File : nvt/gb_CESA-2008_0177_evolution_centos4_x86_64.nasl |
| 2009-02-17 | Name : Fedora Update for evolution FEDORA-2008-5016 File : nvt/gb_fedora_2008_5016_evolution_fc8.nasl |
| 2009-02-17 | Name : Fedora Update for evolution FEDORA-2008-5018 File : nvt/gb_fedora_2008_5018_evolution_fc7.nasl |
| 2009-02-16 | Name : Fedora Update for evolution FEDORA-2008-2290 File : nvt/gb_fedora_2008_2290_evolution_fc7.nasl |
| 2009-02-16 | Name : Fedora Update for evolution FEDORA-2008-2292 File : nvt/gb_fedora_2008_2292_evolution_fc8.nasl |
| 2009-01-23 | Name : SuSE Update for evolution SUSE-SA:2008:014 File : nvt/gb_suse_2008_014.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200508-12 (evolution) File : nvt/glsa_200508_12.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-12 (evolution) File : nvt/glsa_200803_12.nasl |
| 2008-09-04 | Name : FreeBSD Ports: evolution File : nvt/freebsd_evolution0.nasl |
| 2008-03-11 | Name : Debian Security Advisory DSA 1512-1 (evolution) File : nvt/deb_1512_1.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 1016-1 (evolution) File : nvt/deb_1016_1.nasl |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2019-01-03 | Name: The remote Fedora host is missing one or more security updates. File: fedora_2018-1434efb8f3.nasl - Type: ACT_GATHER_INFO |
| 2014-11-12 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2013-1540.nasl - Type: ACT_GATHER_INFO |
| 2013-12-10 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20131121_evolution_on_SL6_x.nasl - Type: ACT_GATHER_INFO |
| 2013-11-29 | Name: The remote Oracle Linux host is missing one or more security updates. File: oraclelinux_ELSA-2013-1540.nasl - Type: ACT_GATHER_INFO |
| 2013-11-21 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2013-1540.nasl - Type: ACT_GATHER_INFO |
| 2013-08-01 | Name: The remote Ubuntu host is missing one or more security-related patches. File: ubuntu_USN-1922-1.nasl - Type: ACT_GATHER_INFO |
| 2013-07-12 | Name: The remote Oracle Linux host is missing one or more security updates. File: oraclelinux_ELSA-2008-0177.nasl - Type: ACT_GATHER_INFO |
| 2013-07-12 | Name: The remote Oracle Linux host is missing one or more security updates. File: oraclelinux_ELSA-2013-0516.nasl - Type: ACT_GATHER_INFO |
| 2013-03-10 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2013-0516.nasl - Type: ACT_GATHER_INFO |
| 2013-03-05 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20130221_evolution_on_SL6_x.nasl - Type: ACT_GATHER_INFO |
| 2013-02-21 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2013-0516.nasl - Type: ACT_GATHER_INFO |
| 2013-01-24 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2008-0178.nasl - Type: ACT_GATHER_INFO |
| 2012-08-01 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20080305_evolution_on_SL4_x.nasl - Type: ACT_GATHER_INFO |
| 2010-03-11 | Name: The remote SuSE 11 host is missing one or more security updates. File: suse_11_evolution-data-server-100208.nasl - Type: ACT_GATHER_INFO |
| 2009-04-23 | Name: The remote Mandriva Linux host is missing one or more security updates. File: mandriva_MDVSA-2008-063.nasl - Type: ACT_GATHER_INFO |
| 2008-03-13 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2008-0177.nasl - Type: ACT_GATHER_INFO |
| 2008-03-13 | Name: The remote openSUSE host is missing a security update. File: suse_evolution-5087.nasl - Type: ACT_GATHER_INFO |
| 2008-03-13 | Name: The remote SuSE 10 host is missing a security-related patch. File: suse_evolution-5086.nasl - Type: ACT_GATHER_INFO |
| 2008-03-07 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2008-0177.nasl - Type: ACT_GATHER_INFO |
| 2008-03-07 | Name: The remote Ubuntu host is missing one or more security-related patches. File: ubuntu_USN-583-1.nasl - Type: ACT_GATHER_INFO |
| 2008-03-07 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-1512.nasl - Type: ACT_GATHER_INFO |
| 2008-03-07 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-200803-12.nasl - Type: ACT_GATHER_INFO |
| 2008-03-07 | Name: The remote Fedora host is missing a security update. File: fedora_2008-2290.nasl - Type: ACT_GATHER_INFO |
| 2008-03-07 | Name: The remote Fedora host is missing a security update. File: fedora_2008-2292.nasl - Type: ACT_GATHER_INFO |
| 2007-11-10 | Name: The remote Ubuntu host is missing a security-related patch. File: ubuntu_USN-432-1.nasl - Type: ACT_GATHER_INFO |
