GnuPG Integrity Protection Issue in Roundcube Webmail
CVE-2018-19205

7.5HIGH

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 12 November 2018

What is CVE-2018-19205?

A security issue in Roundcube before version 1.3.7 arises from the mishandling of GnuPG MDC integrity-protection warnings, potentially allowing attackers to gain unauthorized access to sensitive user information. This vulnerability is particularly associated with the enigma plugin's GnuPG driver, which affects the overall security posture of email communications handled by the application. As a result, users are at risk of data exposure, prompting the need for immediate updates to mitigate potential threats.

References

https://roundcube.net/news/2018/07/27/update-1.3.7-released

x_refsource_MISC

https://github.com/roundcube/roundcubemail/releases/tag/1...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Nov 12, 2018