VDB
CVE-2018-12019
CVE-2018-12019
PUBLISHED
The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids.
EPSS 0.49% · 65.7th percentile
Risk Scores
EPSS Score
0.49%
65.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:22.04:LTS | enigmail | 0, 2:2.2.4-0.3 |
| Ubuntu:20.04:LTS | enigmail | 2:2.1.3+ds1-3, 2:2.1.3+ds1-4, 0 |
| Ubuntu:18.04:LTS | enigmail | *, *, 0 |
| Ubuntu:16.04:LTS | enigmail | 0, 2:1.8.2-0ubuntu1, 2:1.8.2-4fakesync1 |
Timeline
- Jun 13, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-12019 third-party-advisory
- https://neopg.io/blog/enigmail-signature-spoof/ third-party-advisory
- https://sourceforge.net/p/enigmail/forum/announce/thread/b948279f/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-12019 third-party-advisory