Lucene search

K

[email protected]NVD:CVE-2020-14954

HistoryJun 21, 2020 - 5:15 p.m.

CVE-2020-14954

2020-06-2117:15:09

CWE-74

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

0.003 Low

EPSS

Percentile

66.1%

Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a “begin TLS” response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka “response injection.”

Affected configurations

NVD

Node

muttmuttRange<1.14.4

Node

debiandebian_linuxMatch9.0

OR

debiandebian_linuxMatch10.0

Node

neomuttneomuttRange<20200619

Node

fedoraprojectfedoraMatch31

OR

fedoraprojectfedoraMatch32

Node

debiandebian_linuxMatch8.0

Node

canonicalubuntu_linuxMatch12.04-

OR

canonicalubuntu_linuxMatch16.04esm

OR

canonicalubuntu_linuxMatch18.04lts

OR

canonicalubuntu_linuxMatch19.10

OR

canonicalubuntu_linuxMatch20.04lts

Node

opensuseleapMatch15.1

OR

opensuseleapMatch15.2

References

lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200615/000023.html

lists.opensuse.org/opensuse-security-announce/2020-06/msg00064.html

lists.opensuse.org/opensuse-security-announce/2020-06/msg00070.html

www.mutt.org/

github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc

github.com/neomutt/neomutt/releases/tag/20200619

gitlab.com/muttmua/mutt/-/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4

gitlab.com/muttmua/mutt/-/issues/248

lists.debian.org/debian-lts-announce/2020/06/msg00039.html

lists.debian.org/debian-lts-announce/2020/06/msg00040.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFMEILCBKMZRRZDMUGWLVN4PQQ4VTAZE/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3LXFVPTLK4PNHL6MPKJNJQJ25CH7GLQ/

security.gentoo.org/glsa/202007-57

usn.ubuntu.com/4403-1/

www.debian.org/security/2020/dsa-4707

www.debian.org/security/2020/dsa-4708

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

0.003 Low

EPSS

Percentile

66.1%

Related for NVD:CVE-2020-14954

freebsd1 nessus22 veracode1 prion1 cvelist1 openvas16 fedora2 redhatcve1 ubuntucve1 osv5 cve1 ubuntu1 debiancve1 debian3 suse5 mageia1 gentoo1 amazon1 rosalinux1