CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4874 – Undefined Behavior for Input to API in Mutt
https://notcve.org/view.php?id=CVE-2023-4874
Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12 Eliminación de referencia del puntero nulo al ver un correo electrónico especialmente manipulado en Mutt versiones >1.5.2 y <2.2.12 A null pointer dereference flaw was found in mutt when handling specially crafted characters. This issue could allow an attacker to send a specially crafted email that causes the email client to crash when reading or processing the email. • http://www.openwall.com/lists/oss-security/2023/09/26/6 https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555.patch https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0.patch https://lists.debian.org/debian-lts-announce/2023/09/msg00021.html https://www.debian.org/security/2023/dsa-5494 https://access.redhat.com/security/cve/CVE-2023-4874 https://bugzilla.redhat.com/show_bug.cgi?id=2238240 • CWE-475: Undefined Behavior for Input to API CWE-476: NULL Pointer Dereference •
CVSS: 5.7EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4875 – Undefined Behavior for Input to API in Mutt
https://notcve.org/view.php?id=CVE-2023-4875
Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12 Eliminación de referencia del puntero nulo al redactar a partir de un mensaje de borrador especialmente manipulado en Mutt versiones >1.5.2 y <2.2.12 A null pointer dereference flaw was found in mutt when handling specially crafted characters. This issue could allow an attacker to send a specially crafted email that causes the email client to crash when reading or processing the email. • http://www.openwall.com/lists/oss-security/2023/09/26/6 https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555.patch https://gitlab.com/muttmua/mutt/-/commit/4cc3128abdf52c615911589394a03271fddeefc6.patch https://lists.debian.org/debian-lts-announce/2023/09/msg00021.html https://www.debian.org/security/2023/dsa-5494 https://access.redhat.com/security/cve/CVE-2023-4875 https://bugzilla.redhat.com/show_bug.cgi?id=2238241 • CWE-475: Undefined Behavior for Input to API CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1328 – mutt: buffer overflow in uudecoder function
https://notcve.org/view.php?id=CVE-2022-1328
Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before 2.2.3 allows read past end of input line Un Desbordamiento del Búfer en uudecoder en Mutt afectando a todas las versiones a partir de 0.94.13 antes de 2.2.3 permite leer más allá del final de la línea de entrada A flaw was found in mutt. When reading unencoded messages, mutt uses the line length from the untrusted input without any validation. This flaw allows an attacker to craft a malicious message, which leads to an out-of-bounds read, causing data leaks that include fragments of other unrelated messages. In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys. • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1328.json https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 https://gitlab.com/muttmua/mutt/-/issues/404 https://access.redhat.com/security/cve/CVE-2022-1328 https://bugzilla.redhat.com/show_bug.cgi?id=2076058 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.5EPSS: 1%CPEs: 5EXPL: 0CVE-2021-3181 – mutt: Memory leak when parsing rfc822 group addresses
https://notcve.org/view.php?id=CVE-2021-3181
rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons. El archivo rfc822.c en Mutt versiones hasta 2.0.4, permite a atacantes remotos causar una denegación de servicio (buzón de correo no disponible) mediante el envío de mensajes de correo electrónico con secuencias de caracteres de punto y coma en los campos de dirección RFC822 (también se conoce como terminadores de grupos vacíos). Un pequeño mensaje de correo electrónico del atacante puede causar un gran consumo de memoria y, por lo tanto, es posible que la víctima no pueda ver los mensajes de correo electrónico de otras personas • http://www.openwall.com/lists/oss-security/2021/01/19/10 http://www.openwall.com/lists/oss-security/2021/01/27/3 https://gitlab.com/muttmua/mutt/-/commit/4a2becbdb4422aaffe3ce314991b9d670b7adf17 https://gitlab.com/muttmua/mutt/-/commit/939b02b33ae29bc0d642570c1dcfd4b339037d19 https://gitlab.com/muttmua/mutt/-/commit/d4305208955c5cdd9fe96dfa61e7c1e14e176a14 https://gitlab.com/muttmua/mutt/-/issues/323 https://lists.debian.org/debian-lts-announce/2021/01/msg00017.html https://lists.fedoraproject&# • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-28896 – mutt: Incorrect handling of invalid initial IMAP responses could lead to an authentication attempt over unencrypted connection
https://notcve.org/view.php?id=CVE-2020-28896
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle. Mutt versiones anteriores a 2.0.2 y NeoMutt anterior al 20-11-2020 no aseguraron que $ssl_force_tls fuera procesado si la respuesta inicial del servidor de un servidor IMAP no era válida. La conexión no se cerró correctamente y el código podría seguir intentando autenticarse. • https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06 https://github.com/neomutt/neomutt/releases/tag/20201120 https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html https://security.gentoo.org/glsa/202101-32 https://access.redhat.com/security/cve/CVE-2020-28896 https://bugzilla.redhat.com/show_bug.cgi?id=1900826 • CWE-287: Improper Authentication CWE-319: Cleartext Transmission of Sensitive Information CWE-755: Improper Handling of Exceptional Conditions •