CVE-2007-1558
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
94.6%
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| apop_protocol | apop_protocol | * | cpe:2.3:a:apop_protocol:apop_protocol:*:*:*:*:*:*:*:* |
References
ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc
balsa.gnome.org/download.html
docs.info.apple.com/article.html?artnum=305530
fetchmail.berlios.de/fetchmail-SA-2007-01.txt
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
lists.apple.com/archives/security-announce/2007/May/msg00004.html
mail.gnome.org/archives/balsa-list/2007-July/msg00000.html
secunia.com/advisories/25353
secunia.com/advisories/25402
secunia.com/advisories/25476
secunia.com/advisories/25496
secunia.com/advisories/25529
secunia.com/advisories/25534
secunia.com/advisories/25546
secunia.com/advisories/25559
secunia.com/advisories/25664
secunia.com/advisories/25750
secunia.com/advisories/25798
secunia.com/advisories/25858
secunia.com/advisories/25894
secunia.com/advisories/26083
secunia.com/advisories/26415
secunia.com/advisories/35699
security.gentoo.org/glsa/glsa-200706-06.xml
slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857
sourceforge.net/forum/forum.php?forum_id=683706
sylpheed.sraoss.jp/en/news.html
www.claws-mail.org/news.php
www.debian.org/security/2007/dsa-1300
www.debian.org/security/2007/dsa-1305
www.mandriva.com/security/advisories?name=MDKSA-2007:105
www.mandriva.com/security/advisories?name=MDKSA-2007:107
www.mandriva.com/security/advisories?name=MDKSA-2007:113
www.mandriva.com/security/advisories?name=MDKSA-2007:119
www.mandriva.com/security/advisories?name=MDKSA-2007:131
www.mozilla.org/security/announce/2007/mfsa2007-15.html
www.novell.com/linux/security/advisories/2007_14_sr.html
www.novell.com/linux/security/advisories/2007_36_mozilla.html
www.openwall.com/lists/oss-security/2009/08/15/1
www.openwall.com/lists/oss-security/2009/08/18/1
www.redhat.com/support/errata/RHSA-2007-0344.html
www.redhat.com/support/errata/RHSA-2007-0353.html
www.redhat.com/support/errata/RHSA-2007-0385.html
www.redhat.com/support/errata/RHSA-2007-0386.html
www.redhat.com/support/errata/RHSA-2007-0401.html
www.redhat.com/support/errata/RHSA-2007-0402.html
www.redhat.com/support/errata/RHSA-2009-1140.html
www.securityfocus.com/archive/1/464477/30/0/threaded
www.securityfocus.com/archive/1/464569/100/0/threaded
www.securityfocus.com/archive/1/470172/100/200/threaded
www.securityfocus.com/archive/1/471455/100/0/threaded
www.securityfocus.com/archive/1/471720/100/0/threaded
www.securityfocus.com/archive/1/471842/100/0/threaded
www.securityfocus.com/bid/23257
www.securitytracker.com/id?1018008
www.trustix.org/errata/2007/0019/
www.trustix.org/errata/2007/0024/
www.ubuntu.com/usn/usn-469-1
www.ubuntu.com/usn/usn-520-1
www.us-cert.gov/cas/techalerts/TA07-151A.html
www.vupen.com/english/advisories/2007/1466
www.vupen.com/english/advisories/2007/1467
www.vupen.com/english/advisories/2007/1468
www.vupen.com/english/advisories/2007/1480
www.vupen.com/english/advisories/2007/1939
www.vupen.com/english/advisories/2007/1994
www.vupen.com/english/advisories/2007/2788
www.vupen.com/english/advisories/2008/0082
issues.rpath.com/browse/RPL-1231
issues.rpath.com/browse/RPL-1232
issues.rpath.com/browse/RPL-1424
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
94.6%