CVE-2017-17843
enigmail - security update
5.9
MEDIUM
CVSS 3.1
EPSS 0.20%
Description
An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002.
How to fix CVE-2017-17843
To remediate CVE-2017-17843, upgrade the affected package to a fixed version below.
- —upgrade to 2:1.9.9-1 or later
- —upgrade to 2:1.9.9-1~deb7u1 or later
- —upgrade to 2:1.9.9-1~deb8u1 or later
Is CVE-2017-17843 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2:1.9.9-1
- from 0, < 2:1.9.9-1~deb7u1
- from 0, < 2:1.9.9-1~deb8u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |