CVE-2020-28896
- Source
- https://cve.org/CVERecord?id=CVE-2020-28896
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28896.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-28896
- Downstream
- Related
- Published
- 2020-11-23T19:15:11.413Z
- Modified
- 2026-03-14T14:47:12.503058Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $sslforcetls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.
- References
-
- https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html
- https://security.gentoo.org/glsa/202101-32
- https://github.com/neomutt/neomutt/releases/tag/20201120
- https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f
- https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
- https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
Affected packages
Git / github.com/muttmua/mutt
Affected ranges
- Type
- GIT
- Repo
- https://github.com/muttmua/mutt
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "2.0.2" } ] }
- Type
- GIT
- Repo
- https://github.com/neomutt/neomutt
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
- Type
- GIT
- Repo
- https://gitlab.com/muttmua/mutt
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
Other
2019-10-25
20191102
20191111
20191129
20191207
20200313
20200320
20200417
20200424
20200501
20200619
20200626
20200807
20200814
20200821
20200925
mutt-0-92-10i
mutt-0-92-11i
mutt-0-92-9i
mutt-0-93-unstable
mutt-0-94-10i-rel
mutt-0-94-13-rel
mutt-0-94-14-rel
mutt-0-94-15-rel
mutt-0-94-16i-rel
mutt-0-94-17i-rel
mutt-0-94-18-rel
mutt-0-94-5i-rel
mutt-0-94-6i-rel
mutt-0-94-7i-rel
mutt-0-94-8i-rel
mutt-0-94-9i-p1
mutt-0-94-9i-rel
mutt-0-95-rel
mutt-0-96-1-rel
mutt-0-96-2-slightly-post-release
mutt-0-96-3-rel
mutt-0-96-4-rel
mutt-0-96-5-rel
mutt-0-96-6-rel
mutt-0-96-7-rel
mutt-0-96-8-rel
mutt-0-96-rel
mutt-1-1-1-1-rel
mutt-1-1-1-2-rel
mutt-1-1-1-rel
mutt-1-1-10-rel
mutt-1-1-11-rel
mutt-1-1-12-rel
mutt-1-1-13-rel
mutt-1-1-14-rel
mutt-1-1-2-rel
mutt-1-1-3-rel
mutt-1-1-4-rel
mutt-1-1-5-rel
mutt-1-1-6-rel
mutt-1-1-7-rel
mutt-1-1-8-rel
mutt-1-1-9-rel
mutt-1-1-rel
mutt-1-10-1-rel
mutt-1-10-rel
mutt-1-11-1-rel
mutt-1-11-2-rel
mutt-1-11-3-rel
mutt-1-11-4-rel
mutt-1-11-rel
mutt-1-12-1-rel
mutt-1-12-2-rel
mutt-1-12-rel
mutt-1-13-1-rel
mutt-1-13-2-rel
mutt-1-13-3-rel
mutt-1-13-4-rel
mutt-1-13-5-rel
mutt-1-13-rel
mutt-1-14-1-rel
mutt-1-14-2-rel
mutt-1-14-3-rel
mutt-1-14-4-rel
mutt-1-14-5-rel
mutt-1-14-6-rel
mutt-1-14-7-rel
mutt-1-14-rel
mutt-1-3-1-rel
mutt-1-3-10-rel
mutt-1-3-11-rel
mutt-1-3-12-rel
mutt-1-3-13-rel
mutt-1-3-14-rel
mutt-1-3-15-rel
mutt-1-3-16-rel
mutt-1-3-17-rel
mutt-1-3-18-rel
mutt-1-3-19-rel
mutt-1-3-2-rel
mutt-1-3-20-rel
mutt-1-3-21-rel
mutt-1-3-22-1-rel
mutt-1-3-22-rel
mutt-1-3-23-1-rel
mutt-1-3-23-2-rel
mutt-1-3-23-rel
mutt-1-3-24-rel
mutt-1-3-25-rel
mutt-1-3-26-rel
mutt-1-3-27-rel
mutt-1-3-3-rel
mutt-1-3-4-rel
mutt-1-3-5-rel
mutt-1-3-6-rel
mutt-1-3-7-rel
mutt-1-3-8-rel
mutt-1-3-9-rel
mutt-1-3-rel
mutt-1-5-1-rel
mutt-1-5-10-rel
mutt-1-5-11-rel
mutt-1-5-12-rel
mutt-1-5-13-rel
mutt-1-5-14-rel
mutt-1-5-15-rel
mutt-1-5-16-rel
mutt-1-5-17-rel
mutt-1-5-18-rel
mutt-1-5-19-rel
mutt-1-5-2-rel
mutt-1-5-20-rel
mutt-1-5-21-rel
mutt-1-5-22-rel
mutt-1-5-23-rel
mutt-1-5-24-rel
mutt-1-5-3-rel
mutt-1-5-4-rel
mutt-1-5-5-1-rel
mutt-1-5-5-rel
mutt-1-5-6-rel
mutt-1-5-7-rel
mutt-1-5-8-rel
mutt-1-5-9-rel
mutt-1-6-1-rel
mutt-1-6-2-rel
mutt-1-6-rel
mutt-1-7-1-rel
mutt-1-7-2-rel
mutt-1-7-rel
mutt-1-8-1-rel
mutt-1-8-2-rel
mutt-1-8-3-rel
mutt-1-8-rel
mutt-1-9-1-rel
mutt-1-9-2-rel
mutt-1-9-3-rel
mutt-1-9-4-rel
mutt-1-9-5-rel
mutt-1-9-rel
mutt-2-0-1-rel
mutt-2-0-rel
neomutt-20160822
neomutt-20160827
neomutt-20160910
neomutt-20160916
neomutt-20161002
neomutt-20161003
neomutt-20161014
neomutt-20161028
neomutt-20161104
neomutt-20161126
neomutt-20170113
neomutt-20170128
neomutt-20170206
neomutt-20170225
neomutt-20170306
neomutt-20170414
neomutt-20170421
neomutt-20170428
neomutt-20170526
neomutt-20170602
neomutt-20170609
neomutt-20170707
neomutt-20170714
neomutt-20170907
neomutt-20170912
neomutt-20171006
neomutt-20171013
neomutt-20171027
neomutt-20171208
neomutt-20171215
neomutt-20180223
neomutt-20180323
neomutt-20180512
neomutt-20180622
neomutt-20180716
post-type-punning-patch
pre-type-punning-patch
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2020-11-20"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
}
]
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2020-28896-22711cd6",
"target": {
"file": "imap/imap.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"97681317069022648633321322422684727806",
"36785202708057762196942193442338311117",
"253597231540842366146788943724371966919",
"230559841208464531920669666737772608998",
"280466068186791739870138129894669237743",
"262021813882487199219046830141767096521"
]
},
"signature_version": "v1",
"source": "https://gitlab.com/muttmua/mutt@04b06aaa3e0cc0022b9b01dbca2863756ebbf59a"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2020-28896-310f4177",
"target": {
"file": "imap/imap.c",
"function": "imap_open_connection"
},
"digest": {
"length": 1744.0,
"function_hash": "202502016177147320487911206437497836801"
},
"signature_version": "v1",
"source": "https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2020-28896-7565f4be",
"target": {
"file": "imap/imap.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"286078888561440764963754111001874170214",
"138677912911684076071538171270727982409",
"8469493152676353125235616666611982766",
"151210996820641048238653260975568679385",
"197676711550233223041620179508224361397",
"243278584382770291463985835770676195496",
"49304822103842324147419956674017035501",
"258071259237864162367846400173725670645",
"158969505239337468576499793844749391902",
"198714526768278661163508272892097614317",
"81681430369553413535836371526730707296",
"312226577905102150186839279536172437",
"94155202352352823451083128446795154982",
"198714526768278661163508272892097614317",
"81681430369553413535836371526730707296",
"339158229765175876716905195750260807423",
"291147170475806138760391662777557853853",
"226677642943443396717113156868587596264",
"307552207789802678498210380374844441654",
"105762104976082084892920596628612734565",
"214200509669293428569750858998133236569",
"56322473773121290834197305658162405616",
"89938834577386823368124135839803635555",
"56309300704248097572272131029656428187"
]
},
"signature_version": "v1",
"source": "https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2020-28896-9803c123",
"target": {
"file": "imap/imap.c",
"function": "imap_open_connection"
},
"digest": {
"length": 1763.0,
"function_hash": "4204636771050573989830569457519837991"
},
"signature_version": "v1",
"source": "https://gitlab.com/muttmua/mutt@04b06aaa3e0cc0022b9b01dbca2863756ebbf59a"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28896.json"