CVE-2020-14954

2020-06-2117:15:09

Debian Security Bug Tracker

security-tracker.debian.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

66.1%

JSON

Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a “begin TLS” response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka “response injection.”

OSVersionArchitecturePackageVersionFilename
Debian12allmutt< 1.14.4-1mutt_1.14.4-1_all.deb
Debian11allmutt< 1.14.4-1mutt_1.14.4-1_all.deb
Debian999allmutt< 1.14.4-1mutt_1.14.4-1_all.deb
Debian13allmutt< 1.14.4-1mutt_1.14.4-1_all.deb
Debian12allneomutt< 20200619+dfsg.1-1neomutt_20200619+dfsg.1-1_all.deb
Debian11allneomutt< 20200619+dfsg.1-1neomutt_20200619+dfsg.1-1_all.deb
Debian999allneomutt< 20200619+dfsg.1-1neomutt_20200619+dfsg.1-1_all.deb
Debian13allneomutt< 20200619+dfsg.1-1neomutt_20200619+dfsg.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	mutt	< 1.14.4-1	mutt_1.14.4-1_all.deb
Debian	11	all	mutt	< 1.14.4-1	mutt_1.14.4-1_all.deb
Debian	999	all	mutt	< 1.14.4-1	mutt_1.14.4-1_all.deb
Debian	13	all	mutt	< 1.14.4-1	mutt_1.14.4-1_all.deb
Debian	12	all	neomutt	< 20200619+dfsg.1-1	neomutt_20200619+dfsg.1-1_all.deb
Debian	11	all	neomutt	< 20200619+dfsg.1-1	neomutt_20200619+dfsg.1-1_all.deb
Debian	999	all	neomutt	< 20200619+dfsg.1-1	neomutt_20200619+dfsg.1-1_all.deb
Debian	13	all	neomutt	< 20200619+dfsg.1-1	neomutt_20200619+dfsg.1-1_all.deb