Information disclosure in Enigmail - CVE-2019-14664
Published: August 6, 2019
Vulnerability identifier: #VU19940
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-14664
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: enigmail.mozdev.org
Affected software:
Enigmail
Enigmail
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
This vulnerability exists due to the insufficient validation of PGP encrypted emails. A remote attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email, trick a victim to reply to this (benign looking) email and gain unauthorized access to sensitive information on the system.
This attack variant bypasses protection mechanisms implemented after the "EFAIL" attacks.
How to mitigate CVE-2019-14664
Install updates from vendor's website.