CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-28896 – mutt: Incorrect handling of invalid initial IMAP responses could lead to an authentication attempt over unencrypted connection
https://notcve.org/view.php?id=CVE-2020-28896
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle. Mutt versiones anteriores a 2.0.2 y NeoMutt anterior al 20-11-2020 no aseguraron que $ssl_force_tls fuera procesado si la respuesta inicial del servidor de un servidor IMAP no era válida. La conexión no se cerró correctamente y el código podría seguir intentando autenticarse. • https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06 https://github.com/neomutt/neomutt/releases/tag/20201120 https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html https://security.gentoo.org/glsa/202101-32 https://access.redhat.com/security/cve/CVE-2020-28896 https://bugzilla.redhat.com/show_bug.cgi?id=1900826 • CWE-287: Improper Authentication CWE-319: Cleartext Transmission of Sensitive Information CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 5.9EPSS: 0%CPEs: 14EXPL: 0CVE-2020-14954
https://notcve.org/view.php?id=CVE-2020-14954
Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection." Mutt versiones anteriores a 1.14.4 y NeoMutt antes del 19-06-2020, presentan un problema de almacenamiento de STARTTLS que afecta a IMAP, SMTP y POP3. Cuando un servidor envía una respuesta "begin TLS", el cliente lee datos adicionales (por ejemplo, a partir de un atacante man-in-the-middle) y los evalúa en un contexto TLS, también se conoce como "response injection" • http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200615/000023.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html http://www.mutt.org https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc https://github.com/neomutt/neomutt/releases/tag/20200619 https://gitlab.com/muttmua/mutt/-/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4 https://gitlab.com/muttmua/mutt/-/issues& • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-14349
https://notcve.org/view.php?id=CVE-2018-14349
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a NO response without a message. Se ha descubierto un problema en Mutt en versiones anteriores a la 1.10.1 y NeoMutt en versiones anteriores al 2018-07-16. imap/command.c gestiona de manera incorrecta una respuesta NO sin mensaje. • http://www.mutt.org/news.html https://github.com/neomutt/neomutt/commit/36a29280448097f34ce9c94606195f2ac643fed1 https://gitlab.com/muttmua/mutt/commit/9347b5c01dc52682cb6be11539d9b7ebceae4416 https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html https://neomutt.org/2018/07/16/release https://security.gentoo.org/glsa/201810-07 https://usn.ubuntu.com/3719-3 https://www.debian.org/security/2018/dsa-4277 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-14351
https://notcve.org/view.php?id=CVE-2018-14351
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a long IMAP status mailbox literal count size. Se ha descubierto un problema en Mutt en versiones anteriores a la 1.10.1 y NeoMutt en versiones anteriores al 2018-07-16. imap/command.c gestiona de manera incorrecta un tamaño de conteo literal IMAP de status mailbox. • http://www.mutt.org/news.html https://github.com/neomutt/neomutt/commit/3c49c44be9b459d9c616bcaef6eb5d51298c1741 https://gitlab.com/muttmua/mutt/commit/e57a8602b45f58edf7b3ffb61bb17525d75dfcb1 https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html https://neomutt.org/2018/07/16/release https://security.gentoo.org/glsa/201810-07 https://usn.ubuntu.com/3719-3 https://www.debian.org/security/2018/dsa-4277 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-14356
https://notcve.org/view.php?id=CVE-2018-14356
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c mishandles a zero-length UID. Se ha descubierto un problema en Mutt en versiones anteriores a la 1.10.1 y NeoMutt en versiones anteriores al 2018-07-16. pop.c gestiona de manera incorrecta un UID de longitud cero. • http://www.mutt.org/news.html https://github.com/neomutt/neomutt/commit/93b8ac558752d09e1c56d4f1bc82631316fa9c82 https://gitlab.com/muttmua/mutt/commit/e154cba1b3fc52bb8cb8aa846353c0db79b5d9c6 https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html https://neomutt.org/2018/07/16/release https://security.gentoo.org/glsa/201810-07 https://usn.ubuntu.com/3719-3 https://www.debian.org/security/2018/dsa-4277 • CWE-824: Access of Uninitialized Pointer •