Main Vulnerability Database Vulnerabilities #VU37739

Input validation error in Enigmail - CVE-2017-17843

Published: December 27, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU37739

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-17843

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: enigmail.mozdev.org

Affected software:
Enigmail

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002.

How to mitigate CVE-2017-17843

Install update from vendor's website.

Input validation error in Enigmail - CVE-2017-17843

Detailed vulnerability description

How to mitigate CVE-2017-17843

Sources

Please verify you're human