CVE-2020-28896

🗓️ 23 Nov 2020 19:15:11Reported by [email protected]Type

Mutt and NeoMutt versions prior to 2.0.2 and 2020-11-20 respectively, allow exposure of authentication credentials due to incomplete processing of $ssl_force_tls, potentially leading to machine-in-the-middle attacks

Reporter	Title	Published	Views	Family All 111
Tenable Nessus	Amazon Linux 2 : mutt (ALAS-2022-1892)	7 Dec 202200:00	–	nessus
Tenable Nessus	AlmaLinux 8 : mutt (ALSA-2021:4181)	9 Feb 202200:00	–	nessus
Tenable Nessus	CentOS 8 : mutt (CESA-2021:4181)	11 Nov 202100:00	–	nessus
Tenable Nessus	Debian DLA-2472-1 : mutt security update	1 Dec 202000:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP3 : mutt (EulerOS-SA-2021-1098)	20 Jan 202100:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP2 : mutt (EulerOS-SA-2021-1330)	22 Feb 202100:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP5 : mutt (EulerOS-SA-2021-1690)	24 Mar 202100:00	–	nessus
Tenable Nessus	FreeBSD : mutt -- authentication credentials being sent over an unencrypted connection (dc132c91-2b71-11eb-8cfd-4437e6ad11c4)	23 Nov 202000:00	–	nessus
Tenable Nessus	GLSA-202101-32 : Mutt, NeoMutt: Information disclosure	27 Jan 202100:00	–	nessus
Tenable Nessus	MiracleLinux 8 : mutt-2.0.7-1.el8 (AXSA:2021-2863:01)	20 Jan 202600:00	–	nessus

NVD

Node

mutt muttRange<2.0.2

neomutt neomuttRange<2020-11-20

Node

debian debian_linuxMatch9.0

Source	Link
security	www.security.gentoo.org/glsa/202101-32
github	www.github.com/neomutt/neomutt/releases/tag/20201120
github	www.github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
lists	www.lists.debian.org/debian-lts-announce/2020/11/msg00048.html
gitlab	www.gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
gitlab	www.gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f

17 Jun 2026 03:10Current

5.8Medium risk

Vulners AI Score5.8

CVSS 22.6

CVSS 3.15.3

EPSS0.02323