Candidate: CVE-2019-10740
PublicDate: 2019-04-07 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10740
 https://github.com/roundcube/roundcubemail/issues/6638
Description:
 In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or
 PGP encrypted emails can wrap them as sub-parts within a crafted multipart
 email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII
 newline characters. This modified multipart email can be re-sent by the
 attacker to the intended receiver. If the receiver replies to this (benign
 looking) email, they unknowingly leak the plaintext of the encrypted
 message part(s) back to the attacker.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N [4.3 MEDIUM]


Patches_roundcube:
 upstream: https://github.com/roundcube/roundcubemail/commit/de25226d310de11f6a9eb0aa7ea1c90d82dc70d8
upstream_roundcube: released (1.4.0)
precise/esm_roundcube: DNE
trusty_roundcube: ignored (reached end-of-life)
trusty/esm_roundcube: DNE (trusty was not-affected)
xenial_roundcube: ignored (end of standard support, was needed)
bionic_roundcube: needed
cosmic_roundcube: ignored (reached end-of-life)
disco_roundcube: ignored (reached end-of-life)
eoan_roundcube: ignored (reached end-of-life)
focal_roundcube: not-affected (1.4.3+dfsg.1-1)
groovy_roundcube: not-affected (1.4.3+dfsg.1-1)
hirsute_roundcube: not-affected (1.4.3+dfsg.1-1)
impish_roundcube: not-affected (1.4.11+dfsg.1-4)
jammy_roundcube: not-affected (1.5.0+dfsg.1-2)
devel_roundcube: not-affected (1.5.0+dfsg.1-2)