Unrated severityNVD Advisory· Published Jun 13, 2018· Updated Aug 5, 2024

CVE-2018-12019

Description

The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Enigmail/Enigmailllm-fuzzy
Range: <2.0.7
osv-coords2 versions
pkg:rpm/opensuse/enigmail&distro=openSUSE%20Tumbleweed pkg:rpm/suse/enigmail&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015
< 2.2.4-1.4+ 1 more
- (no CPE)range: < 2.2.4-1.4
- (no CPE)range: < 2.0.7-3.7.2

Patches

Vulnerability mechanics

References

openwall.com/lists/oss-security/2018/06/13/10mitrex_refsource_MISC
packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlmitrex_refsource_MISC
seclists.org/fulldisclosure/2019/Apr/38mitremailing-listx_refsource_FULLDISC
www.openwall.com/lists/oss-security/2019/04/30/4mitremailing-listx_refsource_MLIST
github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfmitrex_refsource_MISC
www.enigmail.net/index.php/en/download/changelogmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000