CVE - CVE-2007-1558

CVE-ID
CVE-2007-1558	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
APPLE:APPLE-SA-2007-05-24 URL:http://lists.apple.com/archives/security-announce/2007/May/msg00004.html BID:23257 URL:http://www.securityfocus.com/bid/23257 BUGTRAQ:20070402 APOP vulnerability URL:http://www.securityfocus.com/archive/1/464477/30/0/threaded BUGTRAQ:20070403 Re: APOP vulnerability URL:http://www.securityfocus.com/archive/1/464569/100/0/threaded BUGTRAQ:20070531 FLEA-2007-0023-1: firefox URL:http://www.securityfocus.com/archive/1/470172/100/200/threaded BUGTRAQ:20070615 rPSA-2007-0122-1 evolution-data-server URL:http://www.securityfocus.com/archive/1/471455/100/0/threaded BUGTRAQ:20070619 FLEA-2007-0026-1: evolution-data-server URL:http://www.securityfocus.com/archive/1/471720/100/0/threaded BUGTRAQ:20070620 FLEA-2007-0027-1: thunderbird URL:http://www.securityfocus.com/archive/1/471842/100/0/threaded CERT:TA07-151A URL:http://www.us-cert.gov/cas/techalerts/TA07-151A.html CONFIRM:http://balsa.gnome.org/download.html CONFIRM:http://docs.info.apple.com/article.html?artnum=305530 CONFIRM:http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=683706 CONFIRM:http://sylpheed.sraoss.jp/en/news.html CONFIRM:http://www.claws-mail.org/news.php CONFIRM:http://www.mozilla.org/security/announce/2007/mfsa2007-15.html CONFIRM:https://issues.rpath.com/browse/RPL-1231 CONFIRM:https://issues.rpath.com/browse/RPL-1232 CONFIRM:https://issues.rpath.com/browse/RPL-1424 DEBIAN:DSA-1300 URL:http://www.debian.org/security/2007/dsa-1300 DEBIAN:DSA-1305 URL:http://www.debian.org/security/2007/dsa-1305 GENTOO:GLSA-200706-06 URL:http://security.gentoo.org/glsa/glsa-200706-06.xml HP:HPSBUX02153 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 HP:HPSBUX02156 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579 HP:SSRT061181 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742 HP:SSRT061236 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579 MANDRIVA:MDKSA-2007:105 URL:~~http://www.mandriva.com/security/advisories?name=MDKSA-2007:105~~ (Obsolete source) MANDRIVA:MDKSA-2007:107 URL:~~http://www.mandriva.com/security/advisories?name=MDKSA-2007:107~~ (Obsolete source) MANDRIVA:MDKSA-2007:113 URL:~~http://www.mandriva.com/security/advisories?name=MDKSA-2007:113~~ (Obsolete source) MANDRIVA:MDKSA-2007:119 URL:~~http://www.mandriva.com/security/advisories?name=MDKSA-2007:119~~ (Obsolete source) MANDRIVA:MDKSA-2007:131 URL:~~http://www.mandriva.com/security/advisories?name=MDKSA-2007:131~~ (Obsolete source) MLIST:[balsa-list] 20070704 balsa-2.3.17 released URL:http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html MLIST:[oss-security] 20090815 mailfilter 0.8.2 fixes CVE-2007-1558 (APOP) URL:http://www.openwall.com/lists/oss-security/2009/08/15/1 MLIST:[oss-security] 20090818 Re: CVE-2007-1558 update (was: mailfilter 0.8.2 fixes CVE-2007-1558 (APOP)) URL:http://www.openwall.com/lists/oss-security/2009/08/18/1 OVAL:oval:org.mitre.oval:def:9782 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782 REDHAT:RHSA-2007:0344 URL:http://www.redhat.com/support/errata/RHSA-2007-0344.html REDHAT:RHSA-2007:0353 URL:http://www.redhat.com/support/errata/RHSA-2007-0353.html REDHAT:RHSA-2007:0385 URL:http://www.redhat.com/support/errata/RHSA-2007-0385.html REDHAT:RHSA-2007:0386 URL:http://www.redhat.com/support/errata/RHSA-2007-0386.html REDHAT:RHSA-2007:0401 URL:http://www.redhat.com/support/errata/RHSA-2007-0401.html REDHAT:RHSA-2007:0402 URL:http://www.redhat.com/support/errata/RHSA-2007-0402.html REDHAT:RHSA-2009:1140 URL:http://www.redhat.com/support/errata/RHSA-2009-1140.html SECTRACK:1018008 URL:http://www.securitytracker.com/id?1018008 SECUNIA:25353 URL:http://secunia.com/advisories/25353 SECUNIA:25402 URL:http://secunia.com/advisories/25402 SECUNIA:25476 URL:http://secunia.com/advisories/25476 SECUNIA:25496 URL:http://secunia.com/advisories/25496 SECUNIA:25529 URL:http://secunia.com/advisories/25529 SECUNIA:25534 URL:http://secunia.com/advisories/25534 SECUNIA:25546 URL:http://secunia.com/advisories/25546 SECUNIA:25559 URL:http://secunia.com/advisories/25559 SECUNIA:25664 URL:http://secunia.com/advisories/25664 SECUNIA:25750 URL:http://secunia.com/advisories/25750 SECUNIA:25798 URL:http://secunia.com/advisories/25798 SECUNIA:25858 URL:http://secunia.com/advisories/25858 SECUNIA:25894 URL:http://secunia.com/advisories/25894 SECUNIA:26083 URL:http://secunia.com/advisories/26083 SECUNIA:26415 URL:http://secunia.com/advisories/26415 SECUNIA:35699 URL:http://secunia.com/advisories/35699 SGI:20070602-01-P URL:ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc SLACKWARE:SSA:2007-152-02 URL:http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857 SUSE:SUSE-SA:2007:036 URL:http://www.novell.com/linux/security/advisories/2007_36_mozilla.html SUSE:SUSE-SR:2007:014 URL:http://www.novell.com/linux/security/advisories/2007_14_sr.html TRUSTIX:2007-0019 URL:~~http://www.trustix.org/errata/2007/0019/~~ (Obsolete source - check if archived by the Wayback Machine) TRUSTIX:2007-0024 URL:~~http://www.trustix.org/errata/2007/0024/~~ (Obsolete source - check if archived by the Wayback Machine) UBUNTU:USN-469-1 URL:http://www.ubuntu.com/usn/usn-469-1 UBUNTU:USN-520-1 URL:http://www.ubuntu.com/usn/usn-520-1 VUPEN:ADV-2007-1466 URL:~~http://www.vupen.com/english/advisories/2007/1466~~ (Obsolete source) VUPEN:ADV-2007-1467 URL:~~http://www.vupen.com/english/advisories/2007/1467~~ (Obsolete source) VUPEN:ADV-2007-1468 URL:~~http://www.vupen.com/english/advisories/2007/1468~~ (Obsolete source) VUPEN:ADV-2007-1480 URL:~~http://www.vupen.com/english/advisories/2007/1480~~ (Obsolete source) VUPEN:ADV-2007-1939 URL:~~http://www.vupen.com/english/advisories/2007/1939~~ (Obsolete source) VUPEN:ADV-2007-1994 URL:~~http://www.vupen.com/english/advisories/2007/1994~~ (Obsolete source) VUPEN:ADV-2007-2788 URL:~~http://www.vupen.com/english/advisories/2007/2788~~ (Obsolete source) VUPEN:ADV-2008-0082 URL:~~http://www.vupen.com/english/advisories/2008/0082~~ (Obsolete source)
Assigning CNA
MITRE Corporation
Date Record Created
20070320	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20070320)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)