OpenPGP Signature Spoofing in GNOME Evolution by The GNOME Project
CVE-2018-15587

6.5MEDIUM

Key Information:

Vendor

Gnome
Status
Evolution
Vendor
CVE Published:
11 February 2019

What is CVE-2018-15587?

GNOME Evolution up to version 3.28.2 is vulnerable to manipulation of OpenPGP signatures, allowing attackers to spoof messages from legitimate entities. This is done through crafted emails that include a valid signature as an attachment. As a result, users may be deceived into believing that these fraudulent messages originate from trusted sources, exposing them to potential phishing attacks and security breaches.

References

https://bugzilla.gnome.org/show_bug.cgi?id=796424
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2019/04/msg0...
mailing-listx_refsource_MLIST
http://www.openwall.com/lists/oss-security/2019/04/30/4
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.