Description
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.
References (6)
Core 6
Core References
Patch, Third Party Advisory x_refsource_misc
https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f
Patch, Third Party Advisory x_refsource_misc
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
Patch, Third Party Advisory x_refsource_misc
https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/neomutt/neomutt/releases/tag/20201120
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202101-32
Scores
CVSS v3
5.3
EPSS
0.0010
EPSS Percentile
26.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-755
CWE-287
Status
published
Products (3)
debian/debian_linux
9.0
mutt/mutt
< 2.0.2
neomutt/neomutt
< 2020-11-20
Published
Nov 23, 2020
Tracked Since
Feb 18, 2026