STARTTLS Buffering Issue in Mutt and NeoMutt Affecting Email Protocols
CVE-2020-14954

5.9MEDIUM

Key Information:

Vendor

Mutt

Status
Mutt
Vendor
CVE Published:
21 June 2020

What is CVE-2020-14954?

The vulnerability in Mutt and NeoMutt arises from a STARTTLS buffering issue that impacts the handling of IMAP, SMTP, and POP3 protocols. When a server sends a 'begin TLS' response, the email client can inadvertently read additional data that could originate from a man-in-the-middle attacker, leading to potential response injection. This flaw underscores the importance of ensuring proper TLS handling to mitigate risks associated with malicious data interception during email communication.

References

https://www.debian.org/security/2020/dsa-4707
vendor-advisoryx_refsource_DEBIAN
http://www.mutt.org/
x_refsource_MISC
https://gitlab.com/muttmua/mutt/-/issues/248
x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.