CVE-2007-1558

high

Description

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782

https://issues.rpath.com/browse/RPL-1424

https://issues.rpath.com/browse/RPL-1232

https://issues.rpath.com/browse/RPL-1231

http://www.vupen.com/english/advisories/2008/0082

http://www.vupen.com/english/advisories/2007/2788

http://www.vupen.com/english/advisories/2007/1994

http://www.vupen.com/english/advisories/2007/1939

http://www.vupen.com/english/advisories/2007/1480

http://www.vupen.com/english/advisories/2007/1468

http://www.vupen.com/english/advisories/2007/1467

http://www.vupen.com/english/advisories/2007/1466

http://www.us-cert.gov/cas/techalerts/TA07-151A.html

http://www.ubuntu.com/usn/usn-520-1

http://www.ubuntu.com/usn/usn-469-1

http://www.trustix.org/errata/2007/0024/

http://www.trustix.org/errata/2007/0019/

http://www.securitytracker.com/id?1018008

http://www.securityfocus.com/bid/23257

http://www.securityfocus.com/archive/1/471842/100/0/threaded

http://www.securityfocus.com/archive/1/471720/100/0/threaded

http://www.securityfocus.com/archive/1/471455/100/0/threaded

http://www.securityfocus.com/archive/1/470172/100/200/threaded

http://www.securityfocus.com/archive/1/464569/100/0/threaded

http://www.securityfocus.com/archive/1/464477/30/0/threaded

http://www.redhat.com/support/errata/RHSA-2009-1140.html

http://www.redhat.com/support/errata/RHSA-2007-0402.html

http://www.redhat.com/support/errata/RHSA-2007-0401.html

http://www.redhat.com/support/errata/RHSA-2007-0386.html

http://www.redhat.com/support/errata/RHSA-2007-0385.html

http://www.redhat.com/support/errata/RHSA-2007-0353.html

http://www.redhat.com/support/errata/RHSA-2007-0344.html

http://www.openwall.com/lists/oss-security/2009/08/18/1

http://www.openwall.com/lists/oss-security/2009/08/15/1

http://www.novell.com/linux/security/advisories/2007_36_mozilla.html

http://www.novell.com/linux/security/advisories/2007_14_sr.html

http://www.mozilla.org/security/announce/2007/mfsa2007-15.html

http://www.mandriva.com/security/advisories?name=MDKSA-2007:131

http://www.mandriva.com/security/advisories?name=MDKSA-2007:119

http://www.mandriva.com/security/advisories?name=MDKSA-2007:113

http://www.mandriva.com/security/advisories?name=MDKSA-2007:107

http://www.mandriva.com/security/advisories?name=MDKSA-2007:105

http://www.debian.org/security/2007/dsa-1305

http://www.debian.org/security/2007/dsa-1300

http://www.claws-mail.org/news.php

http://sylpheed.sraoss.jp/en/news.html

http://sourceforge.net/forum/forum.php?forum_id=683706

http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857

http://security.gentoo.org/glsa/glsa-200706-06.xml

http://secunia.com/advisories/35699

http://secunia.com/advisories/26415

http://secunia.com/advisories/26083

http://secunia.com/advisories/25894

http://secunia.com/advisories/25858

http://secunia.com/advisories/25798

http://secunia.com/advisories/25750

http://secunia.com/advisories/25664

http://secunia.com/advisories/25559

http://secunia.com/advisories/25546

http://secunia.com/advisories/25534

http://secunia.com/advisories/25529

http://secunia.com/advisories/25496

http://secunia.com/advisories/25476

http://secunia.com/advisories/25402

http://secunia.com/advisories/25353

http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html

http://lists.apple.com/archives/security-announce/2007/May/msg00004.html

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt

http://docs.info.apple.com/article.html?artnum=305530

http://balsa.gnome.org/download.html

Details

Source: Mitre, NVD

Published: 2007-04-16

Risk Information

CVSS v2

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High