CVE-2019-8338 – Johnny You Are Fired
https://notcve.org/view.php?id=CVE-2019-8338
The signature verification routine in the Airmail GPG-PGP Plugin, versions 1.0 (9) and earlier, does not verify the status of the signature at all, which allows remote attackers to spoof arbitrary email signatures by crafting a signed email with an invalid signature. Also, it does not verify the validity of the signing key, which allows remote attackers to spoof arbitrary email signatures by crafting a key with a fake user ID (email address) and injecting it into the user's keyring. La rutina de verificación de firmas en Airmail GPG-PGP Plugin, versiones 1.0 (9) y anteriores, no comprueba el estado de la firma en absoluto, lo cual permite a los atacantes remotos falsificar firmas de correo electrónico arbitrarias al crear un correo electrónico firmado con una firma no válida. Además, no comprueba la validez de la clave de firma, lo que permite a los atacantes remotos falsificar firmas de correo electrónico arbitrarias al crear una clave con un ID de usuario falso (email address) e inyectarla en el llavero de usuarios. • http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html http://seclists.org/fulldisclosure/2019/Apr/38 https://github.com/Airmail/AirmailPlugIn-Framework/commits/master https://github.com/RUB-NDS/Johnny-You-Are-Fired https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf https://www.openwall.com/lists/oss-security/2019/04/30/4 • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2002-1977
https://notcve.org/view.php?id=CVE-2002-1977
Network Associates PGP 7.0.4 and 7.1 does not time out according to the value set in the "Passphrase Cache" option, which could allow attackers to open encrypted files without providing a passphrase. • http://archives.neohapsis.com/archives/bugtraq/2002-07/0313.html http://archives.neohapsis.com/archives/bugtraq/2002-07/0322.html http://www.iss.net/security_center/static/9690.php http://www.securityfocus.com/bid/5318 •
CVE-2001-1016
https://notcve.org/view.php?id=CVE-2001-1016
PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Freeware before 7.0.3, and E-Business Server before 7.1 does not properly display when invalid userID's are used to sign a message, which could allow an attacker to make the user believe that the document has been signed by a trusted third party by adding a second, invalid user ID to a key which has already been signed by the third party, aka the "PGPsdk Key Validity Vulnerability." • http://www.osvdb.org/1946 http://www.pgp.com/support/product-advisories/pgpsdk.asp http://www.securityfocus.com/archive/1/211806 http://www.securityfocus.com/bid/3280 https://exchange.xforce.ibmcloud.com/vulnerabilities/7081 •
CVE-2001-0265 – PGP 5.x/6.x/7.0 - ASCII Armor Parser Arbitrary File Creation
https://notcve.org/view.php?id=CVE-2001-0265
ASCII Armor parser in Windows PGP 7.0.3 and earlier allows attackers to create files in arbitrary locations via a malformed ASCII armored file. • https://www.exploit-db.com/exploits/20738 http://www.atstake.com/research/advisories/2001/a040901-1.txt http://www.osvdb.org/1782 http://www.securityfocus.com/bid/2556 https://exchange.xforce.ibmcloud.com/vulnerabilities/6643 •
CVE-2001-0435
https://notcve.org/view.php?id=CVE-2001-0435
The split key mechanism used by PGP 7.0 allows a key share holder to obtain access to the entire key by setting the "Cache passphrase while logged on" option and capturing the passphrases of other share holders as they authenticate. • http://marc.info/?l=bugtraq&m=98691775527457&w=2 •