CVE-2007-1269 - Vulnerability Details - OpenCVE

GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01225.

Key SSVC decision points have not yet been added.

Vendors	Products
Gnu	Gnumail

Configuration 1 [-]

cpe:2.3:a:gnu:gnumail:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2007-1266	GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html
http://secunia.com/advisories/24417
http://securityreason.com/securityalert/2353
http://www.coresecurity.com/?action=item&id=1687
http://www.securityfocus.com/archive/1/461958/100/0/threaded
http://www.securityfocus.com/archive/1/461958/30/7710/threaded
http://www.securityfocus.com/bid/22779
http://www.securitytracker.com/id?1017727
http://www.vupen.com/english/advisories/2007/0835

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-03-06T20:00:00

Updated: 2024-08-07T12:50:35.199Z

Reserved: 2007-03-04T00:00:00

Link: CVE-2007-1269

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-03-06T20:19:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-1269

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-03-05T00:00:00", "descriptions": [{"lang": "en", "value": "GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"name": "2353", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/2353"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"name": "24417", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/24417"}, {"name": "1017727", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1017727"}, {"name": "22779", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/22779"}, {"name": "ADV-2007-0835", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/0835"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-1269", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME", "refsource": "MLIST", "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"name": "2353", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/2353"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"name": "http://www.coresecurity.com/?action=item&id=1687", "refsource": "MISC", "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"name": "24417", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/24417"}, {"name": "1017727", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1017727"}, {"name": "22779", "refsource": "BID", "url": "http://www.securityfocus.com/bid/22779"}, {"name": "ADV-2007-0835", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/0835"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T12:50:35.199Z"}, "title": "CVE Program Container", "references": [{"name": "[gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"name": "2353", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/2353"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"name": "20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"name": "24417", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/24417"}, {"name": "1017727", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1017727"}, {"name": "22779", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/22779"}, {"name": "ADV-2007-0835", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/0835"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-1269", "datePublished": "2007-03-06T20:00:00", "dateReserved": "2007-03-04T00:00:00", "dateUpdated": "2024-08-07T12:50:35.199Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:gnumail:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D2D7AD9-0BBE-4B8D-88CE-BF66176AAE86", "versionEndIncluding": "1.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection."}, {"lang": "es", "value": "GNUMail 1.1.2 y anteriores no utilizan adecuadamente el argumento --status-fd al invocar a GnuPG, lo cual provoca que GNUMail no distinga visualmente entre trozos firmados y no firmados de mensajes OpenPGP con m\u00faltiples componentes, lo cual permite a atacantes remotos falsificar el contenido de un mensaje si ser detectado."}], "id": "CVE-2007-1269", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-03-06T20:19:00.000", "references": [{"source": "cve@mitre.org", "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/24417"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/2353"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/22779"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1017727"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2007/0835"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.gnupg.org/pipermail/gnupg-users/2007-March/030514.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/24417"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/2353"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www.coresecurity.com/?action=item&id=1687"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/461958/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/461958/30/7710/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/22779"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id?1017727"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2007/0835"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}