CVE-2019-8338

Name of the Vulnerable Software and Affected Versions Airmail GPG-PGP Plugin versions 1.0 (9) and earlier

Description The issue concerns the signature verification routine, which fails to verify the status of the signature and the validity of the signing key. This allows remote attackers to spoof arbitrary email signatures by crafting a signed email with an invalid signature or by creating a key with a fake user ID (email address) and injecting it into the user's keyring.

Recommendations For Airmail GPG-PGP Plugin versions 1.0 (9) and earlier, consider disabling the signature verification feature until a patch is available to prevent spoofing of email signatures. Restrict access to the keyring to minimize the risk of malicious key injection. Avoid using the plugin for verifying email signatures until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.