CVE-2018-14362
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-14362
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-14362.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-14362
- Downstream
- Related
- Published
- 2018-07-17T17:29:00Z
- Modified
- 2025-10-18T08:53:37.219179Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c does not forbid characters that may have unsafe interaction with message-cache pathnames, as demonstrated by a '/' character.
- References
-
- http://www.mutt.org/news.html
- https://access.redhat.com/errata/RHSA-2018:2526
- https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e
- https://gitlab.com/muttmua/mutt/commit/6aed28b40a0410ec47d40c8c7296d8d10bae7576
- https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html
- https://neomutt.org/2018/07/16/release
- https://security.gentoo.org/glsa/201810-07
- https://usn.ubuntu.com/3719-3/
- https://www.debian.org/security/2018/dsa-4277
Affected packages
Git / github.com/muttmua/mutt
Affected ranges
- Type
- GIT
- Repo
- https://github.com/muttmua/mutt
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
mutt-0-92-10i
mutt-0-92-11i
mutt-0-92-9i
mutt-0-93-unstable
mutt-0-94-10i-rel
mutt-0-94-13-rel
mutt-0-94-14-rel
mutt-0-94-15-rel
mutt-0-94-16i-rel
mutt-0-94-17i-rel
mutt-0-94-18-rel
mutt-0-94-5i-rel
mutt-0-94-6i-rel
mutt-0-94-7i-rel
mutt-0-94-8i-rel
mutt-0-94-9i-p1
mutt-0-94-9i-rel
mutt-0-95-rel
mutt-0-96-1-rel
mutt-0-96-2-slightly-post-release
mutt-0-96-3-rel
mutt-0-96-4-rel
mutt-0-96-5-rel
mutt-0-96-6-rel
mutt-0-96-7-rel
mutt-0-96-8-rel
mutt-0-96-rel
mutt-1-1-1-1-rel
mutt-1-1-1-2-rel
mutt-1-1-1-rel
mutt-1-1-10-rel
mutt-1-1-11-rel
mutt-1-1-12-rel
mutt-1-1-13-rel
mutt-1-1-14-rel
mutt-1-1-2-rel
mutt-1-1-3-rel
mutt-1-1-4-rel
mutt-1-1-5-rel
mutt-1-1-6-rel
mutt-1-1-7-rel
mutt-1-1-8-rel
mutt-1-1-9-rel
mutt-1-1-rel
mutt-1-10-rel
mutt-1-3-1-rel
mutt-1-3-10-rel
mutt-1-3-11-rel
mutt-1-3-12-rel
mutt-1-3-13-rel
mutt-1-3-14-rel
mutt-1-3-15-rel
mutt-1-3-16-rel
mutt-1-3-17-rel
mutt-1-3-18-rel
mutt-1-3-19-rel
mutt-1-3-2-rel
mutt-1-3-20-rel
mutt-1-3-21-rel
mutt-1-3-22-1-rel
mutt-1-3-22-rel
mutt-1-3-23-1-rel
mutt-1-3-23-2-rel
mutt-1-3-23-rel
mutt-1-3-24-rel
mutt-1-3-25-rel
mutt-1-3-26-rel
mutt-1-3-27-rel
mutt-1-3-3-rel
mutt-1-3-4-rel
mutt-1-3-5-rel
mutt-1-3-6-rel
mutt-1-3-7-rel
mutt-1-3-8-rel
mutt-1-3-9-rel
mutt-1-3-rel
mutt-1-5-1-rel
mutt-1-5-10-rel
mutt-1-5-11-rel
mutt-1-5-12-rel
mutt-1-5-13-rel
mutt-1-5-14-rel
mutt-1-5-15-rel
mutt-1-5-16-rel
mutt-1-5-17-rel
mutt-1-5-18-rel
mutt-1-5-19-rel
mutt-1-5-2-rel
mutt-1-5-20-rel
mutt-1-5-21-rel
mutt-1-5-22-rel
mutt-1-5-23-rel
mutt-1-5-24-rel
mutt-1-5-3-rel
mutt-1-5-4-rel
mutt-1-5-5-1-rel
mutt-1-5-5-rel
mutt-1-5-6-rel
mutt-1-5-7-rel
mutt-1-5-8-rel
mutt-1-5-9-rel
mutt-1-6-1-rel
mutt-1-6-2-rel
mutt-1-6-rel
mutt-1-7-1-rel
mutt-1-7-2-rel
mutt-1-7-rel
mutt-1-8-1-rel
mutt-1-8-2-rel
mutt-1-8-3-rel
mutt-1-8-rel
mutt-1-9-1-rel
mutt-1-9-2-rel
mutt-1-9-3-rel
mutt-1-9-4-rel
mutt-1-9-5-rel
mutt-1-9-rel
post-type-punning-patch
pre-type-punning-patch
Git / github.com/muttmua/mutt
Affected ranges
- Type
- GIT
- Repo
- https://github.com/neomutt/neomutt
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
neomutt-20160822
neomutt-20160827
neomutt-20160910
neomutt-20160916
neomutt-20161002
neomutt-20161003
neomutt-20161014
neomutt-20161028
neomutt-20161104
neomutt-20161126
neomutt-20170113
neomutt-20170128
neomutt-20170206
neomutt-20170225
neomutt-20170306
neomutt-20170414
neomutt-20170421
neomutt-20170428
neomutt-20170526
neomutt-20170602
neomutt-20170609
neomutt-20170707
neomutt-20170714
neomutt-20170907
neomutt-20170912
neomutt-20171006
neomutt-20171013
neomutt-20171027
neomutt-20171208
neomutt-20171215
neomutt-20180223
neomutt-20180323
neomutt-20180512
neomutt-20180622
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"id": "CVE-2018-14362-5032a5cc",
"source": "https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e",
"signature_version": "v1",
"target": {
"file": "newsrc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"166461457871203343767825428571992619843",
"332801287067323168050430816170670082991",
"271786472213938683788850057094204643412",
"119372439653162492663372824806615850337"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2018-14362-7c96e5e9",
"source": "https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e",
"signature_version": "v1",
"target": {
"function": "nntp_hcache_namer",
"file": "newsrc.c"
},
"digest": {
"function_hash": "267537665779261270121660410598778019730",
"length": 137.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2018-14362-7ee6e997",
"source": "https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e",
"signature_version": "v1",
"target": {
"file": "pop.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"282507869725829356368754754288309731924",
"180075208061962054958382423698787589478",
"325390537779811331403578311429992453917",
"40849553194821509632949074050468769859",
"139842194387533044031811617629497364218",
"155050040835949172408810526580165649552",
"136377786910619544328349675424106556833",
"151860417053105295748988167916222166622",
"244086138280538416743903398152755732605",
"332873696842681422891121565529699034939",
"236007473157134103291937908027325601442",
"216939413199658701745639496112987145005",
"324706117862882001673612538146887821301",
"57129907368067683541711472898614270563",
"213551591269061358836562623901559679350",
"152837113381736160920589610252144188990",
"141585947957200433890708682389411167554",
"5340409753338793195453880600907208224",
"241370935965336750474995126612698116846",
"51823177502555382073407727853414073788",
"82051695059155998028808786658533210318",
"122795335888784005275271044672923481284",
"222778029668092806927494490481893861537",
"224596775040337544067511760021919277960",
"221925278420521875570561763670544009873",
"310573466833311325665692755462274655651",
"35115817430826594319918924333839638986"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2018-14362-8f9282b8",
"source": "https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e",
"signature_version": "v1",
"target": {
"function": "pop_sync_mailbox",
"file": "pop.c"
},
"digest": {
"function_hash": "221900545852017990172313032652197004192",
"length": 1605.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2018-14362-dc6726c2",
"source": "https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e",
"signature_version": "v1",
"target": {
"function": "pop_fetch_headers",
"file": "pop.c"
},
"digest": {
"function_hash": "317257631665400846064623998635648083237",
"length": 3017.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2018-14362-e1053d8a",
"source": "https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e",
"signature_version": "v1",
"target": {
"function": "msg_cache_check",
"file": "pop.c"
},
"digest": {
"function_hash": "126506414352260493509523767341186245450",
"length": 502.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2018-14362-ee32bb20",
"source": "https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e",
"signature_version": "v1",
"target": {
"function": "pop_fetch_message",
"file": "pop.c"
},
"digest": {
"function_hash": "221749324668458347741321909465042818204",
"length": 2597.0
},
"deprecated": false
}
]
Git / github.com/muttmua/mutt
Affected ranges
- Type
- GIT
- Repo
- https://gitlab.com/muttmua/mutt
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
mutt-0-92-10i
mutt-0-92-11i
mutt-0-92-9i
mutt-0-93-unstable
mutt-0-94-10i-rel
mutt-0-94-13-rel
mutt-0-94-14-rel
mutt-0-94-15-rel
mutt-0-94-16i-rel
mutt-0-94-17i-rel
mutt-0-94-18-rel
mutt-0-94-5i-rel
mutt-0-94-6i-rel
mutt-0-94-7i-rel
mutt-0-94-8i-rel
mutt-0-94-9i-p1
mutt-0-94-9i-rel
mutt-0-95-rel
mutt-0-96-1-rel
mutt-0-96-2-slightly-post-release
mutt-0-96-3-rel
mutt-0-96-4-rel
mutt-0-96-5-rel
mutt-0-96-6-rel
mutt-0-96-7-rel
mutt-0-96-8-rel
mutt-0-96-rel
mutt-1-1-1-1-rel
mutt-1-1-1-2-rel
mutt-1-1-1-rel
mutt-1-1-10-rel
mutt-1-1-11-rel
mutt-1-1-12-rel
mutt-1-1-13-rel
mutt-1-1-14-rel
mutt-1-1-2-rel
mutt-1-1-3-rel
mutt-1-1-4-rel
mutt-1-1-5-rel
mutt-1-1-6-rel
mutt-1-1-7-rel
mutt-1-1-8-rel
mutt-1-1-9-rel
mutt-1-1-rel
mutt-1-10-rel
mutt-1-3-1-rel
mutt-1-3-10-rel
mutt-1-3-11-rel
mutt-1-3-12-rel
mutt-1-3-13-rel
mutt-1-3-14-rel
mutt-1-3-15-rel
mutt-1-3-16-rel
mutt-1-3-17-rel
mutt-1-3-18-rel
mutt-1-3-19-rel
mutt-1-3-2-rel
mutt-1-3-20-rel
mutt-1-3-21-rel
mutt-1-3-22-1-rel
mutt-1-3-22-rel
mutt-1-3-23-1-rel
mutt-1-3-23-2-rel
mutt-1-3-23-rel
mutt-1-3-24-rel
mutt-1-3-25-rel
mutt-1-3-26-rel
mutt-1-3-27-rel
mutt-1-3-3-rel
mutt-1-3-4-rel
mutt-1-3-5-rel
mutt-1-3-6-rel
mutt-1-3-7-rel
mutt-1-3-8-rel
mutt-1-3-9-rel
mutt-1-3-rel
mutt-1-5-1-rel
mutt-1-5-10-rel
mutt-1-5-11-rel
mutt-1-5-12-rel
mutt-1-5-13-rel
mutt-1-5-14-rel
mutt-1-5-15-rel
mutt-1-5-16-rel
mutt-1-5-17-rel
mutt-1-5-18-rel
mutt-1-5-19-rel
mutt-1-5-2-rel
mutt-1-5-20-rel
mutt-1-5-21-rel
mutt-1-5-22-rel
mutt-1-5-23-rel
mutt-1-5-24-rel
mutt-1-5-3-rel
mutt-1-5-4-rel
mutt-1-5-5-1-rel
mutt-1-5-5-rel
mutt-1-5-6-rel
mutt-1-5-7-rel
mutt-1-5-8-rel
mutt-1-5-9-rel
mutt-1-6-1-rel
mutt-1-6-2-rel
mutt-1-6-rel
mutt-1-7-1-rel
mutt-1-7-2-rel
mutt-1-7-rel
mutt-1-8-1-rel
mutt-1-8-2-rel
mutt-1-8-3-rel
mutt-1-8-rel
mutt-1-9-1-rel
mutt-1-9-2-rel
mutt-1-9-3-rel
mutt-1-9-4-rel
mutt-1-9-5-rel
mutt-1-9-rel
post-type-punning-patch
pre-type-punning-patch
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"id": "CVE-2018-14362-220a3e57",
"source": "https://gitlab.com/muttmua/mutt@6aed28b40a0410ec47d40c8c7296d8d10bae7576",
"signature_version": "v1",
"target": {
"function": "pop_sync_mailbox",
"file": "pop.c"
},
"digest": {
"function_hash": "203877282032082513856670457410106984505",
"length": 1554.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2018-14362-49a43789",
"source": "https://gitlab.com/muttmua/mutt@6aed28b40a0410ec47d40c8c7296d8d10bae7576",
"signature_version": "v1",
"target": {
"function": "msg_cache_check",
"file": "pop.c"
},
"digest": {
"function_hash": "325500082941333257680736014199074461078",
"length": 508.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2018-14362-6549483d",
"source": "https://gitlab.com/muttmua/mutt@6aed28b40a0410ec47d40c8c7296d8d10bae7576",
"signature_version": "v1",
"target": {
"file": "pop.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"249015905104921783268118379981716813190",
"180075208061962054958382423698787589478",
"325390537779811331403578311429992453917",
"278699521853201390138733764370018106823",
"136146737738893881373200863103551512706",
"37946969253956364904725322594086040643",
"136377786910619544328349675424106556833",
"252327019854101608580927746545791717975",
"311774669800139807448699864180319932977",
"312391031714537274799489084210941021847",
"65533333092715524251554559761039476142",
"319048243970272962809421998665251142787",
"15399704111583966608829171321511557541",
"139248657884988144472504769782390882235",
"100776044121495972102910698871361049635",
"233062047643696112113804803750618361816",
"255431875871928149974607115155767126849",
"141430068407181609594324196064843873604",
"272757196427394987088838092283140012902",
"51823177502555382073407727853414073788",
"82051695059155998028808786658533210318",
"122795335888784005275271044672923481284",
"222778029668092806927494490481893861537",
"178986409078730298952473038896566632911",
"118940702271776095458127372552951708946",
"253565662786306008209989016921826687734",
"67385587830157418889556558718074387589"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2018-14362-6f134f7b",
"source": "https://gitlab.com/muttmua/mutt@6aed28b40a0410ec47d40c8c7296d8d10bae7576",
"signature_version": "v1",
"target": {
"function": "pop_fetch_headers",
"file": "pop.c"
},
"digest": {
"function_hash": "299808168449394784185784048087150085601",
"length": 2980.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2018-14362-f506d620",
"source": "https://gitlab.com/muttmua/mutt@6aed28b40a0410ec47d40c8c7296d8d10bae7576",
"signature_version": "v1",
"target": {
"function": "pop_fetch_message",
"file": "pop.c"
},
"digest": {
"function_hash": "227203994769922844282177250937303926350",
"length": 2632.0
},
"deprecated": false
}
]