CVE-2014-5369

Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption is enabled and only BCC recipients are specified, which allows remote attackers to obtain sensitive information by sniffing the network.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-updates/2014-09/msg00004.html
http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html
http://secunia.com/advisories/60779
http://secunia.com/advisories/60887
http://secunia.com/advisories/61854
http://sourceforge.net/p/enigmail/bugs/294/	Patch
http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/
http://www.openwall.com/lists/oss-security/2014/08/18/2	Exploit
http://www.openwall.com/lists/oss-security/2014/08/22/1
https://advisories.mageia.org/MGASA-2014-0421.html
https://security.gentoo.org/glsa/201504-01
http://lists.opensuse.org/opensuse-updates/2014-09/msg00004.html
http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html
http://secunia.com/advisories/60779
http://secunia.com/advisories/60887
http://secunia.com/advisories/61854
http://sourceforge.net/p/enigmail/bugs/294/	Patch
http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/
http://www.openwall.com/lists/oss-security/2014/08/18/2	Exploit
http://www.openwall.com/lists/oss-security/2014/08/22/1
https://advisories.mageia.org/MGASA-2014-0421.html
https://security.gentoo.org/glsa/201504-01

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:enigmail:enigmail:1.7:::::::*
	cpe:2.3:a:enigmail:enigmail:1.7.2:::::::*

History

21 Nov 2024, 02:11

Type	Values Removed	Values Added
References	~~() http://lists.opensuse.org/opensuse-updates/2014-09/msg00004.html -~~	() http://lists.opensuse.org/opensuse-updates/2014-09/msg00004.html -
References	~~() http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html -~~	() http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html -
References	~~() http://secunia.com/advisories/60779 -~~	() http://secunia.com/advisories/60779 -
References	~~() http://secunia.com/advisories/60887 -~~	() http://secunia.com/advisories/60887 -
References	~~() http://secunia.com/advisories/61854 -~~	() http://secunia.com/advisories/61854 -
References	~~() http://sourceforge.net/p/enigmail/bugs/294/ - Patch~~	() http://sourceforge.net/p/enigmail/bugs/294/ - Patch
References	~~() http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ -~~	() http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ -
References	~~() http://www.openwall.com/lists/oss-security/2014/08/18/2 - Exploit~~	() http://www.openwall.com/lists/oss-security/2014/08/18/2 - Exploit
References	~~() http://www.openwall.com/lists/oss-security/2014/08/22/1 -~~	() http://www.openwall.com/lists/oss-security/2014/08/22/1 -
References	~~() https://advisories.mageia.org/MGASA-2014-0421.html -~~	() https://advisories.mageia.org/MGASA-2014-0421.html -
References	~~() https://security.gentoo.org/glsa/201504-01 -~~	() https://security.gentoo.org/glsa/201504-01 -

Information

Published : 2014-09-08 14:55

Updated : 2025-04-12 10:46

NVD link : CVE-2014-5369

Mitre link : CVE-2014-5369

CVE.ORG link : CVE-2014-5369

JSON object : View

Products Affected

enigmail

enigmail

CWE

CWE-310

Cryptographic Issues

{"id": "CVE-2014-5369", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-09-08T14:55:03.030", "references": [{"url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00004.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/60779", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/60887", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/61854", "source": "cve@mitre.org"}, {"url": "http://sourceforge.net/p/enigmail/bugs/294/", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/", "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2014/08/18/2", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2014/08/22/1", "source": "cve@mitre.org"}, {"url": "https://advisories.mageia.org/MGASA-2014-0421.html", "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/201504-01", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00004.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/60779", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/60887", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/61854", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://sourceforge.net/p/enigmail/bugs/294/", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2014/08/18/2", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2014/08/22/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://advisories.mageia.org/MGASA-2014-0421.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/201504-01", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption is enabled and only BCC recipients are specified, which allows remote attackers to obtain sensitive information by sniffing the network."}, {"lang": "es", "value": "Enigmail 1.7.x anterior a 1.7.2 env\u00eda emails en texto claro cuando la codificaci\u00f3n est\u00e1 habilitada y solamente los recipientes BCC est\u00e1n especificados, lo que permite a atacantes remotos obtener informaci\u00f3n sensible mediante la captura del trafico de la red."}], "lastModified": "2025-04-12T10:46:40.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:enigmail:enigmail:1.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB1D618F-4B3B-4269-BB73-74F2DAD8ECAC"}, {"criteria": "cpe:2.3:a:enigmail:enigmail:1.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F098E67-AF01-4EFD-89E0-3433E7E43849"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

4.3 /10