Page 2 of 32 results (0.009 seconds)

CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0

CVE-2020-28896 – mutt: Incorrect handling of invalid initial IMAP responses could lead to an authentication attempt over unencrypted connection

https://notcve.org/view.php?id=CVE-2020-28896

Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle. Mutt versiones anteriores a 2.0.2 y NeoMutt anterior al 20-11-2020 no aseguraron que $ssl_force_tls fuera procesado si la respuesta inicial del servidor de un servidor IMAP no era válida. La conexión no se cerró correctamente y el código podría seguir intentando autenticarse. • https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06 https://github.com/neomutt/neomutt/releases/tag/20201120 https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html https://security.gentoo.org/glsa/202101-32 https://access.redhat.com/security/cve/CVE-2020-28896 https://bugzilla.redhat.com/show_bug.cgi?id=1900826 • CWE-287: Improper Authentication CWE-319: Cleartext Transmission of Sensitive Information CWE-755: Improper Handling of Exceptional Conditions •

CVSS: 5.9EPSS: 0%CPEs: 14EXPL: 0

CVE-2020-14954

https://notcve.org/view.php?id=CVE-2020-14954

Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection." Mutt versiones anteriores a 1.14.4 y NeoMutt antes del 19-06-2020, presentan un problema de almacenamiento de STARTTLS que afecta a IMAP, SMTP y POP3. Cuando un servidor envía una respuesta "begin TLS", el cliente lee datos adicionales (por ejemplo, a partir de un atacante man-in-the-middle) y los evalúa en un contexto TLS, también se conoce como "response injection" • http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200615/000023.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html http://www.mutt.org https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc https://github.com/neomutt/neomutt/releases/tag/20200619 https://gitlab.com/muttmua/mutt/-/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4 https://gitlab.com/muttmua/mutt/-/issues& • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 5.8EPSS: 0%CPEs: 6EXPL: 0

CVE-2020-14154

https://notcve.org/view.php?id=CVE-2020-14154

Mutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate. Mutt versiones anteriores a 1.14.3, procede con una conexión incluso si, en respuesta a un aviso de certificado GnuTLS, el usuario rechaza un certificado intermedio expirado • http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html http://www.mutt.org https://bugs.gentoo.org/728300 https://security.gentoo.org/glsa/202007-57 https://usn.ubuntu.com/4401-1 •

CVSS: 5.9EPSS: 0%CPEs: 11EXPL: 0

CVE-2020-14093

https://notcve.org/view.php?id=CVE-2020-14093

Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. Mutt versiones anteriores a 1.14.3, permite un ataque de tipo man-in-the-middle de fcc/postpone de IMAP por medio de una respuesta PREAUTH • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html http://www.mutt.org https://bugs.gentoo.org/728300 https://github.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 https://lists.debian.org/debian-lts-announce/2020/06/msg00039.html https://lists.debian.org/debian-lts-announce/2020/06/msg00040.html https://security.gentoo.org/glsa/202007-57 https://usn.ubuntu.com/4401-1 https • CWE-319: Cleartext Transmission of Sensitive Information •

CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0

CVE-2005-2351

https://notcve.org/view.php?id=CVE-2005-2351

Mutt before 1.5.20 patch 7 allows an attacker to cause a denial of service via a series of requests to mutt temporary files. Mutt versiones anteriores a 1.5.20, parche 7, permite a un atacante causar una denegación de servicio por medio de una serie de peticiones para archivos temporales de mutt. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311296 https://security-tracker.debian.org/tracker/CVE-2005-2351 • CWE-668: Exposure of Resource to Wrong Sphere •