CVE-2019-8338
Description
The signature verification routine in the Airmail GPG-PGP Plugin, versions 1.0 (9) and earlier, does not verify the status of the signature at all, which allows remote attackers to spoof arbitrary email signatures by crafting a signed email with an invalid signature. Also, it does not verify the validity of the signing key, which allows remote attackers to spoof arbitrary email signatures by crafting a key with a fake user ID (email address) and injecting it into the user's keyring.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Airmail GPG-PGP Plugin fails to verify signature status and key validity, enabling spoofing of arbitrary email signatures.
Vulnerability
The Airmail GPG-PGP Plugin, versions 1.0 (9) and earlier, does not verify the status of the signature nor the validity of the signing key during signature verification [1][2]. This flaw allows attackers to bypass authenticity checks on signed emails.
Exploitation
An attacker can craft a signed email with an invalid signature or create a key with a fake user ID and inject it into the victim's keyring [1][2]. The attacker then sends an email that appears properly signed to the victim. No prior authentication or special network position is required; the attacker only needs to send an email.
Impact
Successful exploitation allows the attacker to spoof arbitrary email signatures, leading to false authentication of emails. This can enable phishing attacks or impersonation of trusted senders, compromising the integrity and authenticity of email communications.
Mitigation
As of the disclosure in April 2019, no official patch was available for the affected versions [4]. Users should monitor the Airmail plugin repository for updates and upgrade to a patched version if released [4]. If no fix is provided, consider disabling the GPG-PGP plugin or using an alternative secure email client.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Airmail/Airmail GPG-PGP Plugindescription
- Range: <=1.0 (9)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2019/Apr/38mitremailing-listx_refsource_FULLDISC
- github.com/Airmail/AirmailPlugIn-Framework/commits/mastermitrex_refsource_MISC
- github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfmitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2019/04/30/4mitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.