CVE-2020-28896

MEDIUM EPSS 81.3%
Published Nov 23, 20205y ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Nov 23, 2020 5y ago
Last Modified Jun 17, 2026 2w ago

Description

Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.

CVSS Details

Base Score
5.3
Exploitability
1.6
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
81.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-287 Improper Authentication Authentication
CWE-755

Affected Products 3

VendorProductVersionRange
muttmutt* <2.0.2
neomuttneomutt* <2020-11-20
debiandebian_linux9.0any

References 6

  • github.com https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
    PatchThird Party Advisory
  • github.com https://github.com/neomutt/neomutt/releases/tag/20201120
    Release NotesThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
    PatchThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f
    PatchThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html
    Mailing ListThird Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202101-32
    Third Party Advisory

Remediation

  • github.com https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
    PatchThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
    PatchThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f
    PatchThird Party Advisory