Search for vulnerabilities
Vulnerability details: VCID-y5mf-2t3a-kqf9
Vulnerability ID VCID-y5mf-2t3a-kqf9
Aliases CVE-2020-28896
Summary Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-319 Cleartext Transmission of Sensitive Information
CWE-287 Improper Authentication
CWE-755 Improper Handling of Exceptional Conditions
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28896.json
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
epss 0.00288 https://api.first.org/data/v1/epss?cve=CVE-2020-28896
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 2.6 https://nvd.nist.gov/vuln/detail/CVE-2020-28896
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2020-28896
archlinux High https://security.archlinux.org/AVG-1288
archlinux High https://security.archlinux.org/AVG-1289
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28896.json
https://api.first.org/data/v1/epss?cve=CVE-2020-28896
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28896
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
https://github.com/neomutt/neomutt/releases/tag/20201120
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f
https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html
https://security.gentoo.org/glsa/202101-32
1900826 https://bugzilla.redhat.com/show_bug.cgi?id=1900826
ASA-202011-24 https://security.archlinux.org/ASA-202011-24
ASA-202011-25 https://security.archlinux.org/ASA-202011-25
AVG-1288 https://security.archlinux.org/AVG-1288
AVG-1289 https://security.archlinux.org/AVG-1289
cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:*
cpe:2.3:a:neomutt:neomutt:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:neomutt:neomutt:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2020-28896 https://nvd.nist.gov/vuln/detail/CVE-2020-28896
RHSA-2021:4181 https://access.redhat.com/errata/RHSA-2021:4181
USN-4645-1 https://usn.ubuntu.com/4645-1/
USN-7204-1 https://usn.ubuntu.com/7204-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28896.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-28896
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-28896
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.51932
EPSS Score 0.00288
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:31:19.478929+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.18/community.json 37.0.0