All the vulnerabilites related to Fetchmail Project - Fetchmail
jvndb-2007-000295
Vulnerability from jvndb
Published
2008-05-21 00:00
Modified
2009-08-06 11:39
Summary
APOP password recovery vulnerability
Details
POP3 is a protocol for receiving email from mail servers. APOP is an authentication mechanism used by the POP3 protocol.
It is reported that APOP passwords could be recovered by third parties.
In its successful attack, the attacker spoofs itself as the mail server, provides challenge strings to the client, and collects the responses from the client. The attacker should repeat this process for a certain period of time without alerting the user of the attack.
References
Impacted products
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000295.html", "dc:date": "2009-08-06T11:39+09:00", "dcterms:issued": "2008-05-21T00:00+09:00", "dcterms:modified": "2009-08-06T11:39+09:00", "description": "POP3 is a protocol for receiving email from mail servers. APOP is an authentication mechanism used by the POP3 protocol.\r\n\r\nIt is reported that APOP passwords could be recovered by third parties.\r\n\r\nIn its successful attack, the attacker spoofs itself as the mail server, provides challenge strings to the client, and collects the responses from the client. The attacker should repeat this process for a certain period of time without alerting the user of the attack.", "link": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000295.html", "sec:cpe": [ { "#text": "cpe:/a:claws_mail:claws_mail", "@product": "Claws Mail", "@vendor": "Claws Mail", "@version": "2.2" }, { "#text": "cpe:/a:fetchmail:fetchmail", "@product": "Fetchmail", "@vendor": "Fetchmail Project", "@version": "2.2" }, { "#text": "cpe:/a:mozilla:seamonkey", "@product": "Mozilla SeaMonkey", "@vendor": "mozilla.org contributors", "@version": "2.2" }, { "#text": "cpe:/a:mozilla:thunderbird", "@product": "Mozilla Thunderbird", "@vendor": "mozilla.org contributors", "@version": "2.2" }, { "#text": "cpe:/a:mutt:mutt", "@product": "Mutt", "@vendor": "Mutt", "@version": "2.2" }, { "#text": "cpe:/a:redhat:rhel_optional_productivity_applications", "@product": "RHEL Optional Productivity Applications", "@vendor": "Red Hat, Inc.", "@version": "2.2" }, { "#text": "cpe:/a:sylpheed:sylpheed", "@product": "Sylpheed", "@vendor": "Sylpheed", "@version": "2.2" }, { "#text": "cpe:/o:hp:hp-ux", "@product": "HP-UX", "@vendor": "Hewlett-Packard Development Company,L.P", "@version": "2.2" }, { "#text": "cpe:/o:misc:miraclelinux_asianux_server", "@product": "Asianux Server", "@vendor": "Cybertrust Japan Co., Ltd.", "@version": "2.2" }, { "#text": "cpe:/o:redhat:enterprise_linux", "@product": "Red Hat Enterprise Linux", "@vendor": "Red Hat, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:redhat:enterprise_linux_desktop", "@product": "Red Hat Enterprise Linux Desktop", "@vendor": "Red Hat, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:redhat:enterprise_linux_eus", "@product": "Red Hat Enterprise Linux EUS", "@vendor": "Red Hat, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:redhat:linux_advanced_workstation", "@product": "Red Hat Linux Advanced Workstation", "@vendor": "Red Hat, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:redhat:rhel_desktop_workstation", "@product": "RHEL Desktop Workstation", "@vendor": "Red Hat, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:turbolinux:turbolinux", "@product": "Turbolinux", "@vendor": "Turbolinux, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:turbolinux:turbolinux_desktop", "@product": "Turbolinux Desktop", "@vendor": "Turbolinux, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:turbolinux:turbolinux_fuji", "@product": "Turbolinux FUJI", "@vendor": "Turbolinux, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:turbolinux:turbolinux_home", "@product": "Turbolinux Home", "@vendor": "Turbolinux, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:turbolinux:turbolinux_multimedia", "@product": "Turbolinux Multimedia", "@vendor": "Turbolinux, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:turbolinux:turbolinux_personal", "@product": "Turbolinux Personal", "@vendor": "Turbolinux, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:turbolinux:turbolinux_server", "@product": "Turbolinux Server", "@vendor": "Turbolinux, Inc.", "@version": "2.2" }, { "#text": "cpe:/o:turbolinux:turbolinux_wizpy", "@product": "wizpy", "@vendor": "Turbolinux, Inc.", "@version": "2.2" } ], "sec:cvss": { "@score": "5.4", "@severity": "Medium", "@type": "Base", "@vector": "AV:N/AC:H/Au:N/C:C/I:N/A:N", "@version": "2.0" }, "sec:identifier": "JVNDB-2007-000295", "sec:references": [ { "#text": "http://jvn.jp/cert/JVNTA07-151A/index.html", "@id": "JVNTA07-151A", "@source": "JVN" }, { "#text": "http://jvn.jp/en/jp/JVN19445002/index.html", "@id": "JVN#19445002", "@source": "JVN" }, { "#text": "http://jvn.jp/tr/TRTA07-151A/index.html", "@id": "TRTA07-151A", "@source": "JVNTR" }, { "#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558", "@id": "CVE-2007-1558", "@source": "CVE" }, { "#text": "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1558", "@id": "CVE-2007-1558", "@source": "NVD" }, { "#text": "http://www.us-cert.gov/cas/alerts/SA07-151A.html", "@id": "SA07-151A", "@source": "CERT-SA" }, { "#text": "http://www.us-cert.gov/cas/techalerts/TA07-151A.html", "@id": "TA07-151A", "@source": "CERT-TA" }, { "#text": "http://www.securityfocus.com/bid/23257", "@id": "23257", "@source": "BID" }, { "#text": "http://www.securitytracker.com/id?1018008", "@id": "1018008", "@source": "SECTRACK" }, { "#text": "http://www.frsirt.com/english/advisories/2007/1466", "@id": "FrSIRT/ADV-2007-1466", "@source": "FRSIRT" }, { "#text": "http://www.frsirt.com/english/advisories/2007/1480", "@id": "FrSIRT/ADV-2007-1480", "@source": "FRSIRT" }, { "#text": "http://www.frsirt.com/english/advisories/2007/1468", "@id": "FrSIRT/ADV-2007-1468", "@source": "FRSIRT" }, { "#text": "http://www.frsirt.com/english/advisories/2007/1467", "@id": "FrSIRT/ADV-2007-1467", "@source": "FRSIRT" }, { "#text": "http://www.ietf.org/rfc/rfc1939.txt", "@id": "RFC1939:Post Office Protocol - Version 3", "@source": "IETF" }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-264", "@title": "Permissions(CWE-264)" } ], "title": "APOP password recovery vulnerability" }