In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of the recipients to compromise message confidentiality.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "priority_reason": "This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.", "binaries": [ { "binary_name": "neomutt", "binary_version": "20191207+dfsg.1-1.1ubuntu0.1~esm1" }, { "binary_name": "neomutt-dbgsym", "binary_version": "20191207+dfsg.1-1.1ubuntu0.1~esm1" } ] }
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "priority_reason": "This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.", "binaries": [ { "binary_name": "neomutt", "binary_version": "20211029+dfsg1-1ubuntu0.1~esm1" }, { "binary_name": "neomutt-dbgsym", "binary_version": "20211029+dfsg1-1ubuntu0.1~esm1" } ] }
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "priority_reason": "This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.", "binaries": [ { "binary_name": "neomutt", "binary_version": "20231103+dfsg1-1ubuntu0.1~esm1" }, { "binary_name": "neomutt-dbgsym", "binary_version": "20231103+dfsg1-1ubuntu0.1~esm1" } ] }