CVE-2021-3349 — Insufficient Verification of Data Authenticity in Evolution

CWE-345 — Insufficient Verification of Data Authenticity7 documents6 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 71.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Evolution

Timeline

PublishedFeb 1

Latest updateMay 24

Description

GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages1 packages

▶NVDgnome/evolution3.38.3

🔴Vulnerability Details

GHSA

GHSA-q5mm-jcp2-mc43: ** DISPUTED ** GNOME Evolution through 3↗2022-05-24

▶

CVEList

CVE-2021-3349: GNOME Evolution through 3↗2021-02-01

▶

OSV

CVE-2021-3349: ** DISPUTED ** GNOME Evolution through 3↗2021-02-01

▶

OSV

CVE-2021-3349: GNOME Evolution through 3↗2021-02-01

▶

📋Vendor Advisories

Red Hat

evolution-data-server: mail is shown as having a valid signature from an unknown identifier on a previously trusted key↗2021-02-01

▶

Debian

CVE-2021-3349: evolution - GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unkno...↗2021

▶