CVE-2007-1558

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.

CVSS v2.0 2.6 LOW

2.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:N/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc
http://balsa.gnome.org/download.html
http://docs.info.apple.com/article.html?artnum=305530
http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
http://lists.apple.com/archives/security-announce/2007/May/msg00004.html
http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html
http://secunia.com/advisories/25353
http://secunia.com/advisories/25402	Vendor Advisory
http://secunia.com/advisories/25476
http://secunia.com/advisories/25496	Vendor Advisory
http://secunia.com/advisories/25529	Vendor Advisory
http://secunia.com/advisories/25534
http://secunia.com/advisories/25546	Vendor Advisory
http://secunia.com/advisories/25559
http://secunia.com/advisories/25664
http://secunia.com/advisories/25750
http://secunia.com/advisories/25798
http://secunia.com/advisories/25858
http://secunia.com/advisories/25894
http://secunia.com/advisories/26083
http://secunia.com/advisories/26415
http://secunia.com/advisories/35699
http://security.gentoo.org/glsa/glsa-200706-06.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857
http://sourceforge.net/forum/forum.php?forum_id=683706
http://sylpheed.sraoss.jp/en/news.html
http://www.claws-mail.org/news.php
http://www.debian.org/security/2007/dsa-1300
http://www.debian.org/security/2007/dsa-1305	Patch
http://www.mandriva.com/security/advisories?name=MDKSA-2007:105
http://www.mandriva.com/security/advisories?name=MDKSA-2007:107
http://www.mandriva.com/security/advisories?name=MDKSA-2007:113
http://www.mandriva.com/security/advisories?name=MDKSA-2007:119
http://www.mandriva.com/security/advisories?name=MDKSA-2007:131
http://www.mozilla.org/security/announce/2007/mfsa2007-15.html	Patch Vendor Advisory
http://www.novell.com/linux/security/advisories/2007_14_sr.html
http://www.novell.com/linux/security/advisories/2007_36_mozilla.html
http://www.openwall.com/lists/oss-security/2009/08/15/1
http://www.openwall.com/lists/oss-security/2009/08/18/1
http://www.redhat.com/support/errata/RHSA-2007-0344.html
http://www.redhat.com/support/errata/RHSA-2007-0353.html
http://www.redhat.com/support/errata/RHSA-2007-0385.html
http://www.redhat.com/support/errata/RHSA-2007-0386.html
http://www.redhat.com/support/errata/RHSA-2007-0401.html
http://www.redhat.com/support/errata/RHSA-2007-0402.html
http://www.redhat.com/support/errata/RHSA-2009-1140.html
http://www.securityfocus.com/archive/1/464477/30/0/threaded	Vendor Advisory
http://www.securityfocus.com/archive/1/464569/100/0/threaded
http://www.securityfocus.com/archive/1/470172/100/200/threaded
http://www.securityfocus.com/archive/1/471455/100/0/threaded
http://www.securityfocus.com/archive/1/471720/100/0/threaded
http://www.securityfocus.com/archive/1/471842/100/0/threaded
http://www.securityfocus.com/bid/23257	Patch
http://www.securitytracker.com/id?1018008
http://www.trustix.org/errata/2007/0019/
http://www.trustix.org/errata/2007/0024/
http://www.ubuntu.com/usn/usn-469-1
http://www.ubuntu.com/usn/usn-520-1
http://www.us-cert.gov/cas/techalerts/TA07-151A.html	US Government Resource
http://www.vupen.com/english/advisories/2007/1466
http://www.vupen.com/english/advisories/2007/1467
http://www.vupen.com/english/advisories/2007/1468
http://www.vupen.com/english/advisories/2007/1480
http://www.vupen.com/english/advisories/2007/1939
http://www.vupen.com/english/advisories/2007/1994
http://www.vupen.com/english/advisories/2007/2788
http://www.vupen.com/english/advisories/2008/0082
https://issues.rpath.com/browse/RPL-1231
https://issues.rpath.com/browse/RPL-1232
https://issues.rpath.com/browse/RPL-1424
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782
ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc
http://balsa.gnome.org/download.html
http://docs.info.apple.com/article.html?artnum=305530
http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
http://lists.apple.com/archives/security-announce/2007/May/msg00004.html
http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html
http://secunia.com/advisories/25353
http://secunia.com/advisories/25402	Vendor Advisory
http://secunia.com/advisories/25476
http://secunia.com/advisories/25496	Vendor Advisory
http://secunia.com/advisories/25529	Vendor Advisory
http://secunia.com/advisories/25534
http://secunia.com/advisories/25546	Vendor Advisory
http://secunia.com/advisories/25559
http://secunia.com/advisories/25664
http://secunia.com/advisories/25750
http://secunia.com/advisories/25798
http://secunia.com/advisories/25858
http://secunia.com/advisories/25894
http://secunia.com/advisories/26083
http://secunia.com/advisories/26415
http://secunia.com/advisories/35699
http://security.gentoo.org/glsa/glsa-200706-06.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857
http://sourceforge.net/forum/forum.php?forum_id=683706
http://sylpheed.sraoss.jp/en/news.html
http://www.claws-mail.org/news.php
http://www.debian.org/security/2007/dsa-1300
http://www.debian.org/security/2007/dsa-1305	Patch
http://www.mandriva.com/security/advisories?name=MDKSA-2007:105
http://www.mandriva.com/security/advisories?name=MDKSA-2007:107
http://www.mandriva.com/security/advisories?name=MDKSA-2007:113
http://www.mandriva.com/security/advisories?name=MDKSA-2007:119
http://www.mandriva.com/security/advisories?name=MDKSA-2007:131
http://www.mozilla.org/security/announce/2007/mfsa2007-15.html	Patch Vendor Advisory
http://www.novell.com/linux/security/advisories/2007_14_sr.html
http://www.novell.com/linux/security/advisories/2007_36_mozilla.html
http://www.openwall.com/lists/oss-security/2009/08/15/1
http://www.openwall.com/lists/oss-security/2009/08/18/1
http://www.redhat.com/support/errata/RHSA-2007-0344.html
http://www.redhat.com/support/errata/RHSA-2007-0353.html
http://www.redhat.com/support/errata/RHSA-2007-0385.html
http://www.redhat.com/support/errata/RHSA-2007-0386.html
http://www.redhat.com/support/errata/RHSA-2007-0401.html
http://www.redhat.com/support/errata/RHSA-2007-0402.html
http://www.redhat.com/support/errata/RHSA-2009-1140.html
http://www.securityfocus.com/archive/1/464477/30/0/threaded	Vendor Advisory
http://www.securityfocus.com/archive/1/464569/100/0/threaded
http://www.securityfocus.com/archive/1/470172/100/200/threaded
http://www.securityfocus.com/archive/1/471455/100/0/threaded
http://www.securityfocus.com/archive/1/471720/100/0/threaded
http://www.securityfocus.com/archive/1/471842/100/0/threaded
http://www.securityfocus.com/bid/23257	Patch
http://www.securitytracker.com/id?1018008
http://www.trustix.org/errata/2007/0019/
http://www.trustix.org/errata/2007/0024/
http://www.ubuntu.com/usn/usn-469-1
http://www.ubuntu.com/usn/usn-520-1
http://www.us-cert.gov/cas/techalerts/TA07-151A.html	US Government Resource
http://www.vupen.com/english/advisories/2007/1466
http://www.vupen.com/english/advisories/2007/1467
http://www.vupen.com/english/advisories/2007/1468
http://www.vupen.com/english/advisories/2007/1480
http://www.vupen.com/english/advisories/2007/1939
http://www.vupen.com/english/advisories/2007/1994
http://www.vupen.com/english/advisories/2007/2788
http://www.vupen.com/english/advisories/2008/0082
https://issues.rpath.com/browse/RPL-1231
https://issues.rpath.com/browse/RPL-1232
https://issues.rpath.com/browse/RPL-1424
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782

Configurations

Configuration 1 (hide)

cpe:2.3:a:apop_protocol:apop_protocol:*:*:*:*:*:*:*:*

History

21 Nov 2024, 00:28

Information

Published : 2007-04-16 22:19

Updated : 2024-11-21 00:28

NVD link : CVE-2007-1558

Mitre link : CVE-2007-1558

CVE.ORG link : CVE-2007-1558

JSON object : View

Products Affected

apop_protocol

apop_protocol

CWE

NVD-CWE-Other

2.6 /10