CVE-2013-4166
Published: 26 July 2013
The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and earlier and Evolution Data Server 3.9.5 and earlier does not properly select the GPG key to use for email encryption, which might cause the email to be encrypted with the wrong key and allow remote attackers to obtain sensitive information.
Priority
Status
Package | Release | Status |
---|---|---|
evolution-data-server Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Released
(3.2.3-0ubuntu7.1)
|
|
quantal |
Released
(3.6.2-0ubuntu0.2)
|
|
raring |
Released
(3.6.4-0ubuntu1.1)
|
|
upstream |
Released
(3.8.4)
|
|
Patches: upstream: https://git.gnome.org/browse/evolution-data-server/commit/?id=5d8b92c622f6927b253762ff9310479dd3ac627d upstream: https://git.gnome.org/browse/evolution-data-server/commit/?h=gnome-3-8&id=f7059bb37dcce485d36d769142ec9515708d8ae5 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |