The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mozilla | thunderbird | - |
| flipdogsolutions | maildroid | - |
| freron | mailmate | - |
| emclient | emclient | - |
| horde | horde_imp | - |
| bloop | airmail | - |
| postbox-inc | postbox | - |
| microsoft | outlook | 2007 |
| roundcube | webmail | - |
| apple | - | |
| r2mail2 | r2mail2 | - |
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| gnome | evolution | - |
| mozilla | thunderbird | - |
| flipdogsolutions | maildroid | - |
| microsoft | outlook | 2010 |
| emclient | emclient | - |
| horde | horde_imp | - |
| bloop | airmail | - |
| postbox-inc | postbox | - |
| microsoft | outlook | 2016 |
| 9folders | nine | - |
| kde | trojita | - |
| gmail | - | |
| freron | mailmate | - |
| ritlabs | the_bat | - |
| ibm | notes | - |
| kde | kmail | - |
| microsoft | outlook | 2013 |
| microsoft | outlook | 2007 |
| apple | - | |
| r2mail2 | r2mail2 | - |
eM Client before 7.2.33412.0 automatically imported S/MIME certificates and thereby silently replaced existing ones. This allowed a man-in-the-middle attacker to obtain an email-validated S/MIME certificate from a trusted CA and replace the public key of the entity to be impersonated. This enabled the attacker to decipher further communication. The entire attack could be accomplished by sending a single email.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2.2 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| emclient | em_client | * |