Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2017-17848

Date: December 22, 2017

An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text.

Severity Score

Related Resources (13)

https://lists.debian.org/debian-lts-announce/2017/12/msg00021.html
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
https://security-tracker.debian.org/tracker/CVE-2017-17848
https://sourceforge.net/p/enigmail/bugs/709/
http://seclists.org/fulldisclosure/2019/Apr/38
https://www.debian.org/security/2017/dsa-4070
https://nvd.nist.gov/vuln/detail/CVE-2017-17848
https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17848
https://lists.debian.org/debian-security-announce/2017/msg00333.html
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
https://github.com/RUB-NDS/Johnny-You-Are-Fired
http://www.openwall.com/lists/oss-security/2019/04/30/4
https://www.mend.io/vulnerability-database/CVE-2017-17848

Severity Score

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us