Vulnerability CVE-2014-5369

Vulnerability Name:

CVE-2014-5369 (CCN-95877)

Assigned:

2014-09-08

Published:

2014-09-08

Updated:

2016-12-22

Summary:

Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption is enabled and only BCC recipients are specified, which allows remote attackers to obtain sensitive information by sniffing the network.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-310

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-5369

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:1086

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:1096

Source: SECUNIA
Type: UNKNOWN
60779

Source: SECUNIA
Type: UNKNOWN
60887

Source: SECUNIA
Type: UNKNOWN
61854

Source: CONFIRM
Type: Patch
http://sourceforge.net/p/enigmail/bugs/294/

Source: CONFIRM
Type: UNKNOWN
http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/

Source: MLIST
Type: Exploit
[oss-security] 20140818 Enigmail warning

Source: MLIST
Type: UNKNOWN
[oss-security] 20140821 Re: Enigmail warning

Source: CCN
Type: BID-69349
Enigmail CVE-2014-5369 Encryption Security Weakness

Source: CONFIRM
Type: UNKNOWN
https://advisories.mageia.org/MGASA-2014-0421.html

Source: CCN
Type: Red Hat Bugzilla Bug 1133373
(CVE-2014-5369) CVE-2014-5369 thunderbird-enigmail: mail with only Bcc recipients sent in plain text

Source: XF
Type: UNKNOWN
enigmail-cve20145369-info-disc(95877)

Source: GENTOO
Type: UNKNOWN
GLSA-201504-01

Source: CCN
Type: Enigmail Web site
Enigmail

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-5369

Vulnerable Configuration:

Configuration 1:

cpe:/a:enigmail:enigmail:1.7:*:*:*:*:*:*:*

OR cpe:/a:enigmail:enigmail:1.7.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:enigmail:enigmail:1.7.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20145369	V	CVE-2014-5369	2022-06-30
oval:org.opensuse.security:def:1702	P	Security update for salt (Important)	2022-06-24
oval:org.opensuse.security:def:112189	P	enigmail-1.9.6.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:1146	P	Security update for log4j12 (Important)	2021-12-17
oval:org.opensuse.security:def:1741	P	Security update for the Linux Kernel (Important)	2021-11-11
oval:org.opensuse.security:def:64774	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:105721	P	enigmail-1.9.6.1-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:71361	P	perl-5.26.1-7.6.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:47996	P	dracut-044.2-15.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47629	P	gpgme-1.5.1-1.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48220	P	libvpx1-1.3.0-3.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47764	P	libpng12-0-1.2.50-19.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48089	P	libXvnc1-1.6.0-22.7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47668	P	libQt5WebKit5-5.6.2-1.31 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48329	P	ucode-intel-20191112-1.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47803	P	libvirglrenderer0-0.5.0-11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47628	P	gpg2-2.0.24-9.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48128	P	libipa_hbac0-1.16.1-4.17.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47643	P	hplip-3.16.11-1.33 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47957	P	augeas-1.10.1-2.6 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47667	P	libQt5Concurrent5-5.6.2-6.12.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48181	P	libpython3_4m1_0-3.4.6-25.29.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47682	P	libXrandr2-1.5.0-6.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:1107	P	libpcre2-16-0-10.31-1.14 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:68021	P	Security update for the Linux Kernel (Important)	2021-07-21
oval:org.opensuse.security:def:48543	P	libpython3_4m1_0-3.4.1-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48895	P	bogofilter-1.2.4-5.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48689	P	libpolkit0-32bit-0.112-2.189 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:63533	P	enigmail-2.0.5-1.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48785	P	libIlmImf-Imf_2_1-21-32bit-2.1.0-4.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48582	P	openslp-2.0.0-11.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48728	P	kernel-default-extra-3.12.49-11.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48824	P	bash-lang-4.3-82.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48627	P	stunnel-5.00-3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:2444	P	enigmail-2.0.5-1.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48754	P	pulseaudio-module-bluetooth-5.0-2.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48368	P	apache2-2.4.23-14.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48856	P	libid3tag0-0.15.1b-182.58 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48666	P	cyrus-sasl-digestmd5-32bit-2.1.26-7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48793	P	libmysqlclient_r18-10.0.27-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64687	P	Security update for dtc (Low)	2021-05-13
oval:org.opensuse.security:def:103756	P	enigmail-2.0.9-3.13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:71474	P	ecryptfs-utils-111-2.31 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63572	P	enigmail-2.0.9-3.13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:90101	P	enigmail-2.0.9-3.13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2483	P	enigmail-2.0.9-3.13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:50089	P	postgresql-contrib on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:68121	P	enigmail on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50128	P	apache2-mod_php7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50143	P	enigmail on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50182	P	enigmail on GA media (Moderate)	2020-12-01
oval:com.ubuntu.precise:def:20145369000	V	CVE-2014-5369 on Ubuntu 12.04 LTS (precise) - low.	2014-09-08
oval:com.ubuntu.trusty:def:20145369000	V	CVE-2014-5369 on Ubuntu 14.04 LTS (trusty) - low.	2014-09-08

BACK