Search for vulnerabilities
Vulnerability details: VCID-gb9t-avnw-aaas
Vulnerability ID VCID-gb9t-avnw-aaas
Aliases CVE-2020-14954
Summary Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
Status Published
Exploitability 0.5
Weighted Severity 6.7
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
System Score Found at
generic_textual Medium http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200615/000023.html
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14954.html
cvssv3 7.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14954.json
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.00260 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.03819 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.066 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.066 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
epss 0.0715 https://api.first.org/data/v1/epss?cve=CVE-2020-14954
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1850170
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14093
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14954
cvssv3.1 7.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual Medium https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc
generic_textual Medium https://github.com/neomutt/neomutt/releases/tag/20200619
generic_textual Medium https://gitlab.com/muttmua/mutt/-/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4
generic_textual Medium https://gitlab.com/muttmua/mutt/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4
generic_textual Medium https://gitlab.com/muttmua/mutt/-/issues/248
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2020-14954
cvssv3 5.9 https://nvd.nist.gov/vuln/detail/CVE-2020-14954
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2020-14954
generic_textual Medium https://ubuntu.com/security/notices/USN-4403-1
generic_textual Medium https://usn.ubuntu.com/usn/usn-4403-1
generic_textual Medium http://www.mutt.org/
Reference id Reference type URL
http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200615/000023.html
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14954.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14954.json
https://api.first.org/data/v1/epss?cve=CVE-2020-14954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14954
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc
https://github.com/neomutt/neomutt/releases/tag/20200619
https://gitlab.com/muttmua/mutt/-/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4
https://gitlab.com/muttmua/mutt/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4
https://gitlab.com/muttmua/mutt/-/issues/248
https://lists.debian.org/debian-lts-announce/2020/06/msg00039.html
https://lists.debian.org/debian-lts-announce/2020/06/msg00040.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFMEILCBKMZRRZDMUGWLVN4PQQ4VTAZE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3LXFVPTLK4PNHL6MPKJNJQJ25CH7GLQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFMEILCBKMZRRZDMUGWLVN4PQQ4VTAZE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3LXFVPTLK4PNHL6MPKJNJQJ25CH7GLQ/
https://security.gentoo.org/glsa/202007-57
https://ubuntu.com/security/notices/USN-4403-1
https://usn.ubuntu.com/4403-1/
https://usn.ubuntu.com/usn/usn-4403-1
https://www.debian.org/security/2020/dsa-4707
https://www.debian.org/security/2020/dsa-4708
http://www.mutt.org/
1850170 https://bugzilla.redhat.com/show_bug.cgi?id=1850170
cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:*
cpe:2.3:a:neomutt:neomutt:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:neomutt:neomutt:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
CVE-2020-14954 https://nvd.nist.gov/vuln/detail/CVE-2020-14954
USN-7204-1 https://usn.ubuntu.com/7204-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14954.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-14954
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-14954
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-14954
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.56838
EPSS Score 0.00192
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.