Search for vulnerabilities
Vulnerability details: VCID-n1xd-nbzj-aaaq
Vulnerability ID VCID-n1xd-nbzj-aaaq
Aliases CVE-2020-28896
Summary Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-287 Improper Authentication
CWE-755 Improper Handling of Exceptional Conditions
CWE-319 Cleartext Transmission of Sensitive Information
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-28896.html
rhas Moderate https://access.redhat.com/errata/RHSA-2021:4181
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28896.json
epss 0.00268 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00268 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00268 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00268 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00379 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00379 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00379 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00491 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.0176 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1900826
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28896
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual Medium https://github.com/neomutt/neomutt/releases/tag/20201120
generic_textual Medium https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f
cvssv2 2.6 https://nvd.nist.gov/vuln/detail/CVE-2020-28896
cvssv3 5.3 https://nvd.nist.gov/vuln/detail/CVE-2020-28896
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2020-28896
archlinux High https://security.archlinux.org/AVG-1288
archlinux High https://security.archlinux.org/AVG-1289
generic_textual Medium https://ubuntu.com/security/notices/USN-4645-1
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-28896.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28896.json
https://api.first.org/data/v1/epss?cve=CVE-2020-28896
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28896
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
https://github.com/neomutt/neomutt/releases/tag/20201120
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f
https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html
https://security.gentoo.org/glsa/202101-32
https://ubuntu.com/security/notices/USN-4645-1
1900826 https://bugzilla.redhat.com/show_bug.cgi?id=1900826
ASA-202011-24 https://security.archlinux.org/ASA-202011-24
ASA-202011-25 https://security.archlinux.org/ASA-202011-25
AVG-1288 https://security.archlinux.org/AVG-1288
AVG-1289 https://security.archlinux.org/AVG-1289
cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:*
cpe:2.3:a:neomutt:neomutt:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:neomutt:neomutt:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2020-28896 https://nvd.nist.gov/vuln/detail/CVE-2020-28896
RHSA-2021:4181 https://access.redhat.com/errata/RHSA-2021:4181
USN-4645-1 https://usn.ubuntu.com/4645-1/
USN-7204-1 https://usn.ubuntu.com/7204-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28896.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-28896
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-28896
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-28896
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.67318
EPSS Score 0.00268
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.