CVE - CVE-2007-1558

CVE-ID
CVE-2007-1558	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20070402 APOP vulnerability URL:http://www.securityfocus.com/archive/1/464477/30/0/threaded BUGTRAQ:20070403 Re: APOP vulnerability URL:http://www.securityfocus.com/archive/1/464569/100/0/threaded BUGTRAQ:20070615 rPSA-2007-0122-1 evolution-data-server URL:http://www.securityfocus.com/archive/1/471455/100/0/threaded BUGTRAQ:20070619 FLEA-2007-0026-1: evolution-data-server URL:http://www.securityfocus.com/archive/1/471720/100/0/threaded BUGTRAQ:20070531 FLEA-2007-0023-1: firefox URL:http://www.securityfocus.com/archive/1/470172/100/200/threaded BUGTRAQ:20070620 FLEA-2007-0027-1: thunderbird URL:http://www.securityfocus.com/archive/1/471842/100/0/threaded MLIST:[balsa-list] 20070704 balsa-2.3.17 released URL:http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html MLIST:[oss-security] 20090815 mailfilter 0.8.2 fixes CVE-2007-1558 (APOP) URL:http://www.openwall.com/lists/oss-security/2009/08/15/1 MLIST:[oss-security] 20090818 Re: CVE-2007-1558 update (was: mailfilter 0.8.2 fixes CVE-2007-1558 (APOP)) URL:http://www.openwall.com/lists/oss-security/2009/08/18/1 CONFIRM:http://docs.info.apple.com/article.html?artnum=305530 CONFIRM:http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=683706 CONFIRM:http://sylpheed.sraoss.jp/en/news.html CONFIRM:http://www.claws-mail.org/news.php CONFIRM:http://www.mozilla.org/security/announce/2007/mfsa2007-15.html CONFIRM:https://issues.rpath.com/browse/RPL-1424 CONFIRM:https://issues.rpath.com/browse/RPL-1232 CONFIRM:https://issues.rpath.com/browse/RPL-1231 CONFIRM:http://balsa.gnome.org/download.html APPLE:APPLE-SA-2007-05-24 URL:http://lists.apple.com/archives/security-announce/2007/May/msg00004.html DEBIAN:DSA-1300 URL:http://www.debian.org/security/2007/dsa-1300 DEBIAN:DSA-1305 URL:http://www.debian.org/security/2007/dsa-1305 GENTOO:GLSA-200706-06 URL:http://security.gentoo.org/glsa/glsa-200706-06.xml HP:HPSBUX02153 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 HP:HPSBUX02156 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579 HP:SSRT061181 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 HP:SSRT061236 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579 MANDRIVA:MDKSA-2007:105 URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:105 MANDRIVA:MDKSA-2007:107 URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:107 MANDRIVA:MDKSA-2007:113 URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:113 MANDRIVA:MDKSA-2007:119 URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:119 MANDRIVA:MDKSA-2007:131 URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:131 REDHAT:RHSA-2007:0353 URL:http://www.redhat.com/support/errata/RHSA-2007-0353.html REDHAT:RHSA-2007:0344 URL:http://www.redhat.com/support/errata/RHSA-2007-0344.html REDHAT:RHSA-2007:0386 URL:http://www.redhat.com/support/errata/RHSA-2007-0386.html REDHAT:RHSA-2007:0385 URL:http://www.redhat.com/support/errata/RHSA-2007-0385.html REDHAT:RHSA-2007:0401 URL:http://www.redhat.com/support/errata/RHSA-2007-0401.html REDHAT:RHSA-2007:0402 URL:http://www.redhat.com/support/errata/RHSA-2007-0402.html REDHAT:RHSA-2009:1140 URL:http://www.redhat.com/support/errata/RHSA-2009-1140.html SGI:20070602-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc SLACKWARE:SSA:2007-152-02 URL:http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857 SUSE:SUSE-SA:2007:036 URL:http://www.novell.com/linux/security/advisories/2007_36_mozilla.html SUSE:SUSE-SR:2007:014 URL:http://www.novell.com/linux/security/advisories/2007_14_sr.html TRUSTIX:2007-0019 URL:http://www.trustix.org/errata/2007/0019/ TRUSTIX:2007-0024 URL:http://www.trustix.org/errata/2007/0024/ UBUNTU:USN-469-1 URL:http://www.ubuntu.com/usn/usn-469-1 UBUNTU:USN-520-1 URL:http://www.ubuntu.com/usn/usn-520-1 CERT:TA07-151A URL:http://www.us-cert.gov/cas/techalerts/TA07-151A.html BID:23257 URL:http://www.securityfocus.com/bid/23257 OVAL:oval:org.mitre.oval:def:9782 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782 SECUNIA:35699 URL:http://secunia.com/advisories/35699 VUPEN:ADV-2007-1466 URL:http://www.vupen.com/english/advisories/2007/1466 VUPEN:ADV-2007-1467 URL:http://www.vupen.com/english/advisories/2007/1467 VUPEN:ADV-2007-1468 URL:http://www.vupen.com/english/advisories/2007/1468 VUPEN:ADV-2007-1480 URL:http://www.vupen.com/english/advisories/2007/1480 VUPEN:ADV-2007-1939 URL:http://www.vupen.com/english/advisories/2007/1939 VUPEN:ADV-2007-1994 URL:http://www.vupen.com/english/advisories/2007/1994 VUPEN:ADV-2007-2788 URL:http://www.vupen.com/english/advisories/2007/2788 VUPEN:ADV-2008-0082 URL:http://www.vupen.com/english/advisories/2008/0082 SECTRACK:1018008 URL:http://www.securitytracker.com/id?1018008 SECUNIA:25353 URL:http://secunia.com/advisories/25353 SECUNIA:25402 URL:http://secunia.com/advisories/25402 SECUNIA:25476 URL:http://secunia.com/advisories/25476 SECUNIA:25529 URL:http://secunia.com/advisories/25529 SECUNIA:25546 URL:http://secunia.com/advisories/25546 SECUNIA:25496 URL:http://secunia.com/advisories/25496 SECUNIA:25559 URL:http://secunia.com/advisories/25559 SECUNIA:25534 URL:http://secunia.com/advisories/25534 SECUNIA:25664 URL:http://secunia.com/advisories/25664 SECUNIA:25750 URL:http://secunia.com/advisories/25750 SECUNIA:25798 URL:http://secunia.com/advisories/25798 SECUNIA:25894 URL:http://secunia.com/advisories/25894 SECUNIA:26083 URL:http://secunia.com/advisories/26083 SECUNIA:26415 URL:http://secunia.com/advisories/26415 SECUNIA:25858 URL:http://secunia.com/advisories/25858
Assigning CNA
N/A
Date Entry Created
20070320	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20070320)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org