PT-2020-6267 · Neomutt+9 · Neomutt+9

Damian Poddebniak

+1

·

Published

2020-11-23

·

Updated

2025-01-15

·

CVE-2020-28896

CVSS v3.1

5.3

Medium

VectorAV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Mutt versions prior to 2.0.2 NeoMutt versions prior to 2020-11-20
Description The issue is related to insufficient protection of registration data, which could allow a remote attacker to access confidential data. If an IMAP server's initial server response was invalid, the connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.
Recommendations For Mutt versions prior to 2.0.2, update to version 2.0.2 or later to resolve the issue. For NeoMutt versions prior to 2020-11-20, update to a version released after 2020-11-20 to resolve the issue. As a temporary workaround, consider disabling the use of IMAP servers with invalid initial server responses until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

Fix

Insufficiently Protected Credentials

Improper Authentication

Improper Handling of Exceptional Conditions

Weakness Enumeration

CWE-522CWE-287CWE-755

Related Identifiers

ALSA-2021:4181
ALT-PU-2021-1100
BDU:2021-03739
CESA-2021_4181
CVE-2020-28896
DLA-2472-1
MGASA-2020-0448
OESA-2021-1005
OPENSUSE-SU-2020:2127-1
OPENSUSE-SU-2020:2128-1
OPENSUSE-SU-2020:2141-1
OPENSUSE-SU-2020:2157-1
OPENSUSE-SU-2020:2158-1
OPENSUSE-SU-2020_2127-1
OPENSUSE-SU-2020_2128-1
OPENSUSE-SU-2020_2141-1
OPENSUSE-SU-2024:11069-1
OPENSUSE-SU-2024:11079-1
RHSA-2021:4181
RHSA-2021_4181
RLSA-2021:4181
SUSE-SU-2020:14551-1
SUSE-SU-2020:3568-1
SUSE-SU-2020:3632-1
SUSE-SU-2020_14551-1
SUSE-SU-2020_3568-1
SUSE-SU-2020_3632-1
USN-4645-1
USN-7204-1

Affected Products

Alt Linux
Almalinux
Centos
Linuxmint
Mutt
Neomutt
Red Hat
Rocky Linux
Suse
Ubuntu