CVE-2020-14954
moderate-risk
Published 2020-06-21
Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
Do I need to act?
~
5.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (14)
References (32)
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html
Product
http://www.mutt.org/
Release Notes
https://github.com/neomutt/neomutt/releases/tag/20200619
Issue Tracking
https://gitlab.com/muttmua/mutt/-/issues/248
Third Party Advisory
https://security.gentoo.org/glsa/202007-57
Third Party Advisory
https://usn.ubuntu.com/4403-1/
Third Party Advisory
https://www.debian.org/security/2020/dsa-4707
Third Party Advisory
https://www.debian.org/security/2020/dsa-4708
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html
Product
http://www.mutt.org/
and 12 more references
45
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
9/34 · Low
Exposure
18/34 · Moderate