Lucene search

MitreCVE-2007-1558

HistoryApr 16, 2007 - 10:19 p.m.

CVE-2007-1558

2007-04-1622:19:00

mitre

web.nvd.nist.gov

cve-2007-1558

apop protocol

remote attackers

mitm attacks

md5 collisions

thunderbird

evolution

mutt

fetchmail

seamonkey

balsa

mailfilter

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

AI Score

7.7

Confidence

High

EPSS

0.088

Percentile

94.6%

JSON

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.

Affected configurations

Nvd

Node

apop_protocolapop_protocol

VendorProductVersionCPE
apop_protocolapop_protocol*cpe:2.3:a:apop_protocol:apop_protocol:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apop_protocol	apop_protocol	*	cpe:2.3:a:apop_protocol:apop_protocol::::::::

References

ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc

balsa.gnome.org/download.html

docs.info.apple.com/article.html?artnum=305530

fetchmail.berlios.de/fetchmail-SA-2007-01.txt

h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579

lists.apple.com/archives/security-announce/2007/May/msg00004.html

mail.gnome.org/archives/balsa-list/2007-July/msg00000.html

secunia.com/advisories/25353

secunia.com/advisories/25402

secunia.com/advisories/25476

secunia.com/advisories/25496

secunia.com/advisories/25529

secunia.com/advisories/25534

secunia.com/advisories/25546

secunia.com/advisories/25559

secunia.com/advisories/25664

secunia.com/advisories/25750

secunia.com/advisories/25798

secunia.com/advisories/25858

secunia.com/advisories/25894

secunia.com/advisories/26083

secunia.com/advisories/26415

secunia.com/advisories/35699

security.gentoo.org/glsa/glsa-200706-06.xml

slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857

sourceforge.net/forum/forum.php?forum_id=683706

sylpheed.sraoss.jp/en/news.html

www.claws-mail.org/news.php

www.debian.org/security/2007/dsa-1300

www.debian.org/security/2007/dsa-1305

www.mandriva.com/security/advisories?name=MDKSA-2007:105

www.mandriva.com/security/advisories?name=MDKSA-2007:107

www.mandriva.com/security/advisories?name=MDKSA-2007:113

www.mandriva.com/security/advisories?name=MDKSA-2007:119

www.mandriva.com/security/advisories?name=MDKSA-2007:131

www.mozilla.org/security/announce/2007/mfsa2007-15.html

www.novell.com/linux/security/advisories/2007_14_sr.html

www.novell.com/linux/security/advisories/2007_36_mozilla.html

www.openwall.com/lists/oss-security/2009/08/15/1

www.openwall.com/lists/oss-security/2009/08/18/1

www.redhat.com/support/errata/RHSA-2007-0344.html

www.redhat.com/support/errata/RHSA-2007-0353.html

www.redhat.com/support/errata/RHSA-2007-0385.html

www.redhat.com/support/errata/RHSA-2007-0386.html

www.redhat.com/support/errata/RHSA-2007-0401.html

www.redhat.com/support/errata/RHSA-2007-0402.html

www.redhat.com/support/errata/RHSA-2009-1140.html

www.securityfocus.com/archive/1/464477/30/0/threaded

www.securityfocus.com/archive/1/464569/100/0/threaded

www.securityfocus.com/archive/1/470172/100/200/threaded

www.securityfocus.com/archive/1/471455/100/0/threaded

www.securityfocus.com/archive/1/471720/100/0/threaded

www.securityfocus.com/archive/1/471842/100/0/threaded

www.securityfocus.com/bid/23257

www.securitytracker.com/id?1018008

www.trustix.org/errata/2007/0019/

www.trustix.org/errata/2007/0024/

www.ubuntu.com/usn/usn-469-1

www.ubuntu.com/usn/usn-520-1

www.us-cert.gov/cas/techalerts/TA07-151A.html

www.vupen.com/english/advisories/2007/1466

www.vupen.com/english/advisories/2007/1467

www.vupen.com/english/advisories/2007/1468

www.vupen.com/english/advisories/2007/1480

www.vupen.com/english/advisories/2007/1939

www.vupen.com/english/advisories/2007/1994

www.vupen.com/english/advisories/2007/2788

www.vupen.com/english/advisories/2008/0082

issues.rpath.com/browse/RPL-1231

issues.rpath.com/browse/RPL-1232

issues.rpath.com/browse/RPL-1424

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

AI Score

7.7

Confidence

High

EPSS

0.088

Percentile

94.6%

JSON

Related for CVE-2007-1558