Tuta Mail Vulnerability - DoS

A denial of service vulnerability (CVE-2024-23655) has been identified in Tuta Mail. This vulnerability could prevent users from accessing and reading received mails when an attacker sends a manipulated mail.

Details

  • Product: Tuta Mail
  • Affected Version: Tuta Mail >=3.118.12, < 3.119.10
  • Vulnerability Type: Improper Input Validation (CWE-20)
  • Risk Level: High
  • Vendor URL: https://tuta.com/
  • Vendor acknowledged vulnerability: Yes
  • Vendor Status: Fixed
  • CVE: CVE-2024-23655

The vulnerability was discovered during testing of Tutanota for iOS. By sending a manipulated email, an attacker could put the app into an unusable state. In this case, a user can no longer access received e-mails. Since the vulnerability affects not only the app, but also the web application, a user in this case has no way to access received emails.

References

Timeline

  • 2024-01-25: Vendor has reported that the vulnerability has been fixed.
  • 2024-11-29: This blog post was published.

Credits