CVE-2020-14954
https://notcve.org/view.php?id=CVE-2020-14954
Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection." Mutt versiones anteriores a 1.14.4 y NeoMutt antes del 19-06-2020, presentan un problema de almacenamiento de STARTTLS que afecta a IMAP, SMTP y POP3. Cuando un servidor envía una respuesta "begin TLS", el cliente lee datos adicionales (por ejemplo, a partir de un atacante man-in-the-middle) y los evalúa en un contexto TLS, también se conoce como "response injection" • http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200615/000023.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html http://www.mutt.org https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc https://github.com/neomutt/neomutt/releases/tag/20200619 https://gitlab.com/muttmua/mutt/-/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4 https://gitlab.com/muttmua/mutt/-/issues& • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2020-14154
https://notcve.org/view.php?id=CVE-2020-14154
Mutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate. Mutt versiones anteriores a 1.14.3, procede con una conexión incluso si, en respuesta a un aviso de certificado GnuTLS, el usuario rechaza un certificado intermedio expirado • http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html http://www.mutt.org https://bugs.gentoo.org/728300 https://security.gentoo.org/glsa/202007-57 https://usn.ubuntu.com/4401-1 •
CVE-2020-14093
https://notcve.org/view.php?id=CVE-2020-14093
Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. Mutt versiones anteriores a 1.14.3, permite un ataque de tipo man-in-the-middle de fcc/postpone de IMAP por medio de una respuesta PREAUTH • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html http://www.mutt.org https://bugs.gentoo.org/728300 https://github.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 https://lists.debian.org/debian-lts-announce/2020/06/msg00039.html https://lists.debian.org/debian-lts-announce/2020/06/msg00040.html https://security.gentoo.org/glsa/202007-57 https://usn.ubuntu.com/4401-1 https • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2005-2351
https://notcve.org/view.php?id=CVE-2005-2351
Mutt before 1.5.20 patch 7 allows an attacker to cause a denial of service via a series of requests to mutt temporary files. Mutt versiones anteriores a 1.5.20, parche 7, permite a un atacante causar una denegación de servicio por medio de una serie de peticiones para archivos temporales de mutt. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311296 https://security-tracker.debian.org/tracker/CVE-2005-2351 • CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2018-14356
https://notcve.org/view.php?id=CVE-2018-14356
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c mishandles a zero-length UID. Se ha descubierto un problema en Mutt en versiones anteriores a la 1.10.1 y NeoMutt en versiones anteriores al 2018-07-16. pop.c gestiona de manera incorrecta un UID de longitud cero. • http://www.mutt.org/news.html https://github.com/neomutt/neomutt/commit/93b8ac558752d09e1c56d4f1bc82631316fa9c82 https://gitlab.com/muttmua/mutt/commit/e154cba1b3fc52bb8cb8aa846353c0db79b5d9c6 https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html https://neomutt.org/2018/07/16/release https://security.gentoo.org/glsa/201810-07 https://usn.ubuntu.com/3719-3 https://www.debian.org/security/2018/dsa-4277 • CWE-824: Access of Uninitialized Pointer •