CVE-2020-28896
- Source
- https://cve.org/CVERecord?id=CVE-2020-28896
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28896.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-28896
- Downstream
- Related
- Published
- 2020-11-23T19:15:11.413Z
- Modified
- 2026-02-21T07:33:29.186377Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $sslforcetls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.
- References
-
- https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
- https://github.com/neomutt/neomutt/releases/tag/20201120
- https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
- https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f
- https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html
- https://security.gentoo.org/glsa/202101-32
- https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
- https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
- https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f
- https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html
Affected packages
Git / gitlab.com/muttmua/mutt
Affected ranges
- Type
- GIT
- Repo
- https://gitlab.com/muttmua/mutt
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
mutt-0-92-10i
mutt-0-92-11i
mutt-0-92-9i
mutt-0-93-unstable
mutt-0-94-10i-rel
mutt-0-94-13-rel
mutt-0-94-14-rel
mutt-0-94-15-rel
mutt-0-94-16i-rel
mutt-0-94-17i-rel
mutt-0-94-18-rel
mutt-0-94-5i-rel
mutt-0-94-6i-rel
mutt-0-94-7i-rel
mutt-0-94-8i-rel
mutt-0-94-9i-p1
mutt-0-94-9i-rel
mutt-0-95-rel
mutt-0-96-1-rel
mutt-0-96-2-slightly-post-release
mutt-0-96-3-rel
mutt-0-96-4-rel
mutt-0-96-5-rel
mutt-0-96-6-rel
mutt-0-96-7-rel
mutt-0-96-8-rel
mutt-0-96-rel
mutt-1-1-1-1-rel
mutt-1-1-1-2-rel
mutt-1-1-1-rel
mutt-1-1-10-rel
mutt-1-1-11-rel
mutt-1-1-12-rel
mutt-1-1-13-rel
mutt-1-1-14-rel
mutt-1-1-2-rel
mutt-1-1-3-rel
mutt-1-1-4-rel
mutt-1-1-5-rel
mutt-1-1-6-rel
mutt-1-1-7-rel
mutt-1-1-8-rel
mutt-1-1-9-rel
mutt-1-1-rel
mutt-1-10-1-rel
mutt-1-10-rel
mutt-1-11-1-rel
mutt-1-11-2-rel
mutt-1-11-3-rel
mutt-1-11-4-rel
mutt-1-11-rel
mutt-1-12-1-rel
mutt-1-12-2-rel
mutt-1-12-rel
mutt-1-13-1-rel
mutt-1-13-2-rel
mutt-1-13-3-rel
mutt-1-13-4-rel
mutt-1-13-5-rel
mutt-1-13-rel
mutt-1-14-1-rel
mutt-1-14-2-rel
mutt-1-14-3-rel
mutt-1-14-4-rel
mutt-1-14-5-rel
mutt-1-14-6-rel
mutt-1-14-7-rel
mutt-1-14-rel
mutt-1-3-1-rel
mutt-1-3-10-rel
mutt-1-3-11-rel
mutt-1-3-12-rel
mutt-1-3-13-rel
mutt-1-3-14-rel
mutt-1-3-15-rel
mutt-1-3-16-rel
mutt-1-3-17-rel
mutt-1-3-18-rel
mutt-1-3-19-rel
mutt-1-3-2-rel
mutt-1-3-20-rel
mutt-1-3-21-rel
mutt-1-3-22-1-rel
mutt-1-3-22-rel
mutt-1-3-23-1-rel
mutt-1-3-23-2-rel
mutt-1-3-23-rel
mutt-1-3-24-rel
mutt-1-3-25-rel
mutt-1-3-26-rel
mutt-1-3-27-rel
mutt-1-3-3-rel
mutt-1-3-4-rel
mutt-1-3-5-rel
mutt-1-3-6-rel
mutt-1-3-7-rel
mutt-1-3-8-rel
mutt-1-3-9-rel
mutt-1-3-rel
mutt-1-5-1-rel
mutt-1-5-10-rel
mutt-1-5-11-rel
mutt-1-5-12-rel
mutt-1-5-13-rel
mutt-1-5-14-rel
mutt-1-5-15-rel
mutt-1-5-16-rel
mutt-1-5-17-rel
mutt-1-5-18-rel
mutt-1-5-19-rel
mutt-1-5-2-rel
mutt-1-5-20-rel
mutt-1-5-21-rel
mutt-1-5-22-rel
mutt-1-5-23-rel
mutt-1-5-24-rel
mutt-1-5-3-rel
mutt-1-5-4-rel
mutt-1-5-5-1-rel
mutt-1-5-5-rel
mutt-1-5-6-rel
mutt-1-5-7-rel
mutt-1-5-8-rel
mutt-1-5-9-rel
mutt-1-6-1-rel
mutt-1-6-2-rel
mutt-1-6-rel
mutt-1-7-1-rel
mutt-1-7-2-rel
mutt-1-7-rel
mutt-1-8-1-rel
mutt-1-8-2-rel
mutt-1-8-3-rel
mutt-1-8-rel
mutt-1-9-1-rel
mutt-1-9-2-rel
mutt-1-9-3-rel
mutt-1-9-4-rel
mutt-1-9-5-rel
mutt-1-9-rel
mutt-2-0-1-rel
mutt-2-0-rel
post-type-punning-patch
pre-type-punning-patch
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28896.json"
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://gitlab.com/muttmua/mutt@04b06aaa3e0cc0022b9b01dbca2863756ebbf59a",
"digest": {
"threshold": 0.9,
"line_hashes": [
"97681317069022648633321322422684727806",
"36785202708057762196942193442338311117",
"253597231540842366146788943724371966919",
"230559841208464531920669666737772608998",
"280466068186791739870138129894669237743",
"262021813882487199219046830141767096521"
]
},
"target": {
"file": "imap/imap.c"
},
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2020-28896-22711cd6"
},
{
"signature_version": "v1",
"source": "https://gitlab.com/muttmua/mutt@04b06aaa3e0cc0022b9b01dbca2863756ebbf59a",
"digest": {
"length": 1763.0,
"function_hash": "4204636771050573989830569457519837991"
},
"target": {
"file": "imap/imap.c",
"function": "imap_open_connection"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2020-28896-9803c123"
}
]