VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 23, 2020· Updated Aug 4, 2024

CVE-2020-28896

CVE-2020-28896

Description

Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mutt <2.0.2 and NeoMutt <2020-11-20 fail to enforce $ssl_force_tls when IMAP server provides invalid initial response, risking credential exposure.

Vulnerability

Mutt versions before 2.0.2 and NeoMutt versions before 2020-11-20 contain a flaw in IMAP connection handling. When an IMAP server returns an invalid initial response, the code bails but does not close the connection. The calling code then continues authentication based on connection status, bypassing the $ssl_force_tls configuration, which would require an encrypted connection [1][2][4].

Exploitation

An attacker who can intercept network traffic (man-in-the-middle) or cause the IMAP server to send an invalid initial response can trigger this bug. The user's MUA (Mutt or NeoMutt) will then proceed with authentication over an unencrypted connection, without the protection of $ssl_force_tls [1][3][4].

Impact

Successful exploitation allows an attacker to capture authentication credentials (username and password) sent in cleartext over the network. The attacker gains unauthorized access to the user's IMAP account, leading to information disclosure and potential further compromise [2][4].

Mitigation

The vulnerability is fixed in Mutt 2.0.2 [1] and NeoMutt 2020-11-20 [2]. Users should upgrade to these versions or later. No workaround is available; the fix ensures the IMAP connection is properly closed on any error, preventing authentication on untrusted channels [3][4].

References
  1. automatic post-release commit for mutt-2.0.2 (d9268908) · Commits · Mutt Project / mutt · GitLab
  2. Release NeoMutt 2020-11-20 · neomutt/neomutt
  3. imap: close connection on all failures · neomutt/neomutt@9c36717
  4. Ensure IMAP connection is closed after a connection error. (04b06aaa) · Commits · Mutt Project / mutt · GitLab

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

35

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.