CVE-2007-1266 - Vulnerability Details - OpenCVE

Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gnome	Evolution

Configuration 1 [-]

cpe:2.3:a:gnome:evolution:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html
http://secunia.com/advisories/24412
http://securityreason.com/securityalert/2353
http://www.coresecurity.com/?action=item&id=1687
http://www.securityfocus.com/archive/1/461958/100/0/threaded
http://www.securityfocus.com/archive/1/461958/30/7710/threaded
http://www.securityfocus.com/bid/22760
http://www.securitytracker.com/id?1017727
http://www.vupen.com/english/advisories/2007/0835

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-03-06T20:00:00

Updated: 2024-08-07T12:50:35.039Z

Reserved: 2007-03-04T00:00:00

Link: CVE-2007-1266

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-03-06T20:19:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-1266

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-03-05T00:00:00", "descriptions": [{"lang": "en", "value": "Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"name": "2353", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/2353"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"name": "22760", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/22760"}, {"tags": ["x_refsource_MISC"], "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"name": "24412", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/24412"}, {"name": "1017727", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1017727"}, {"name": "ADV-2007-0835", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/0835"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-1266", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME", "refsource": "MLIST", "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"name": "2353", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/2353"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"name": "22760", "refsource": "BID", "url": "http://www.securityfocus.com/bid/22760"}, {"name": "http://www.coresecurity.com/?action=item&id=1687", "refsource": "MISC", "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"name": "24412", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/24412"}, {"name": "1017727", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1017727"}, {"name": "ADV-2007-0835", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/0835"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T12:50:35.039Z"}, "title": "CVE Program Container", "references": [{"name": "[gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"name": "2353", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/2353"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"name": "22760", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/22760"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"name": "24412", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/24412"}, {"name": "1017727", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1017727"}, {"name": "ADV-2007-0835", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/0835"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-1266", "datePublished": "2007-03-06T20:00:00", "dateReserved": "2007-03-04T00:00:00", "dateUpdated": "2024-08-07T12:50:35.039Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:evolution:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9FF8952-CD1F-4A53-AB22-81AAED9660EB", "versionEndIncluding": "2.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection."}, {"lang": "es", "value": "Evolution 2.8.1 y anteriores no utilizan adecuadamente el argumento --status-fd al invocar a GnuPG, lo cual provoca que Evolution no distinga visualmente entre trozos firmados y no firmados de mensajes OpenPGP con m\u00faltiples componentes, lo cual permite a atacantes remotos falsificar el contenido de un mensaje si ser detectado."}], "id": "CVE-2007-1266", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-03-06T20:19:00.000", "references": [{"source": "cve@mitre.org", "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/24412"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/2353"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/22760"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1017727"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2007/0835"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/24412"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/2353"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/22760"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id?1017727"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2007/0835"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}