CVE-2007-1558

CVE Details

Release Date:	2007-04-16
Impact:	Moderate	What is this?

Description

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.

See more information about CVE-2007-1558 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v2 metrics

Base Score:	2.6
Vector String:	AV:N/AC:H/Au:N/C:P/I:N/A:N
Version:	2.0
Attack Vector:	Network
Attack Complexity:	High
Authentication:	None
Confidentiality Impact:	Partial
Integrity Impact:	None
Availability Impact:	None

Errata information

Platform	Errata	Release Date
Oracle Enterprise Linux version 3 (fetchmail)	ELSA-2007-0385	2007-06-07
Oracle Enterprise Linux version 3 (mutt)	ELSA-2007-0386	2007-06-04
Oracle Enterprise Linux version 3 (seamonkey)	ELSA-2007-0402	2007-05-31
Oracle Enterprise Linux version 4 (devhelp)	ELSA-2007-0402	2007-05-31
Oracle Enterprise Linux version 4 (fetchmail)	ELSA-2007-0385	2007-06-07
Oracle Enterprise Linux version 4 (mutt)	ELSA-2007-0386	2007-06-04
Oracle Enterprise Linux version 4 (ruby)	ELSA-2009-1140	2009-07-02
Oracle Enterprise Linux version 4 (seamonkey)	ELSA-2007-0402	2007-05-31
Oracle Enterprise Linux version 4 (thunderbird)	ELSA-2007-0401	2007-05-31
Oracle Linux version 5 (evolution-data-server)	ELSA-2007-0344	2007-06-26
Oracle Linux version 5 (fetchmail)	ELSA-2007-0385	2007-06-07
Oracle Linux version 5 (mutt)	ELSA-2007-0386	2007-06-04
Oracle Linux version 5 (ruby)	ELSA-2009-1140	2009-07-02