CVE-2020-28896

MEDIUM

Mutt < 2.0.2 - Improper Exception Handling

Title source: rule

Description

Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.

References (6)

[Patch, Third Party Advisory] https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06

View Patch ZIP pw:eip

[Release Notes, Third Party Advisory] https://github.com/neomutt/neomutt/releases/tag/20201120

[Patch, Third Party Advisory] https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a

[Patch, Third Party Advisory] https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html

[Third Party Advisory] https://security.gentoo.org/glsa/202101-32

Scores

CVSS v3 5.3

EPSS 0.0010

EPSS Percentile 26.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-755 CWE-287

Status published

Affected Products (3)

mutt/mutt < 2.0.2

neomutt/neomutt < 2020-11-20

debian/debian_linux

Timeline

Published Nov 23, 2020

Tracked Since Feb 18, 2026