CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
69.9%
Severity: High
Date : 2020-11-26
CVE-ID : CVE-2020-28896
Package : mutt
Type : silent downgrade
Remote : Yes
Link : https://security.archlinux.org/AVG-1288
The package mutt before version 2.0.2-1 is vulnerable to silent
downgrade.
Upgrade to 2.0.2-1.
The problem has been fixed upstream in version 2.0.2.
None.
A security issue has been found in Mutt before version 2.0.2 and
NeoMutt before version 20201120 that could result in authentication
credentials being sent over an unencrypted connection, without
$ssl_force_tls being consulted. During connection, if the server
provided an illegal initial response, the application “bailed”, but did
not actually close the connection. The calling code relied on the
connection status to decide to continue with authentication, instead of
checking the “bail” return value.
An attacker in position of man-in-the-middle might be able to intercept
and alter messages between the e-mail client and the server.
http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20201116/002134.html
https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-November/000929.html
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
https://security.archlinux.org/CVE-2020-28896
lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20201116/002134.html
github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-November/000929.html
security.archlinux.org/AVG-1288
security.archlinux.org/CVE-2020-28896
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
69.9%