CVE-2017-17688

5.9MEDIUM

Key Information:

Vendor
Microsoft
Status
Outlook
Horde Imp
Maildroid
R2mail2
Vendor
CVE Published:
16 May 2018

Summary

The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification

References

https://protonmail.com/blog/pgp-vulnerability-efail
x_refsource_MISC
https://news.ycombinator.com/item?id=17066419
x_refsource_MISC
https://www.patreon.com/posts/cybersecurity-15-18814817
x_refsource_MISC

EPSS Score

0% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.