{"id":"CVE-2020-28896","details":"Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.","modified":"2026-03-20T11:36:47.385674Z","published":"2020-11-23T19:15:11.413Z","related":["ALSA-2021:4181","MGASA-2020-0448","SUSE-SU-2020:14551-1","SUSE-SU-2020:3568-1","SUSE-SU-2020:3632-1","openSUSE-SU-2020:2127-1","openSUSE-SU-2020:2128-1","openSUSE-SU-2020:2141-1","openSUSE-SU-2020:2157-1","openSUSE-SU-2020:2158-1","openSUSE-SU-2024:11069-1","openSUSE-SU-2024:11079-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00048.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202101-32"},{"type":"ADVISORY","url":"https://github.com/neomutt/neomutt/releases/tag/20201120"},{"type":"FIX","url":"https://gitlab.com/muttmua/mutt/-/commit/d92689088dfe80a290ec836e292376e2d9984f8f"},{"type":"FIX","url":"https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06"},{"type":"FIX","url":"https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/muttmua/mutt","events":[{"introduced":"0"},{"fixed":"d92689088dfe80a290ec836e292376e2d9984f8f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.0.2"}]}},{"type":"GIT","repo":"https://github.com/neomutt/neomutt","events":[{"introduced":"0"},{"fixed":"9c36717a3e2af1f2c1b7242035455ec8112b4b06"},{"fixed":"8a2fc8ca2b7653b213ab9b78a55a7a45bdc2a087"}]},{"type":"GIT","repo":"https://gitlab.com/muttmua/mutt","events":[{"introduced":"0"},{"fixed":"04b06aaa3e0cc0022b9b01dbca2863756ebbf59a"},{"fixed":"d92689088dfe80a290ec836e292376e2d9984f8f"}]}],"versions":["2019-10-25","20191102","20191111","20191129","20191207","20200313","20200320","20200417","20200424","20200501","20200619","20200626","20200807","20200814","20200821","20200925","mutt-0-92-10i","mutt-0-92-11i","mutt-0-92-9i","mutt-0-93-unstable","mutt-0-94-10i-rel","mutt-0-94-13-rel","mutt-0-94-14-rel","mutt-0-94-15-rel","mutt-0-94-16i-rel","mutt-0-94-17i-rel","mutt-0-94-18-rel","mutt-0-94-5i-rel","mutt-0-94-6i-rel","mutt-0-94-7i-rel","mutt-0-94-8i-rel","mutt-0-94-9i-p1","mutt-0-94-9i-rel","mutt-0-95-rel","mutt-0-96-1-rel","mutt-0-96-2-slightly-post-release","mutt-0-96-3-rel","mutt-0-96-4-rel","mutt-0-96-5-rel","mutt-0-96-6-rel","mutt-0-96-7-rel","mutt-0-96-8-rel","mutt-0-96-rel","mutt-1-1-1-1-rel","mutt-1-1-1-2-rel","mutt-1-1-1-rel","mutt-1-1-10-rel","mutt-1-1-11-rel","mutt-1-1-12-rel","mutt-1-1-13-rel","mutt-1-1-14-rel","mutt-1-1-2-rel","mutt-1-1-3-rel","mutt-1-1-4-rel","mutt-1-1-5-rel","mutt-1-1-6-rel","mutt-1-1-7-rel","mutt-1-1-8-rel","mutt-1-1-9-rel","mutt-1-1-rel","mutt-1-10-1-rel","mutt-1-10-rel","mutt-1-11-1-rel","mutt-1-11-2-rel","mutt-1-11-3-rel","mutt-1-11-4-rel","mutt-1-11-rel","mutt-1-12-1-rel","mutt-1-12-2-rel","mutt-1-12-rel","mutt-1-13-1-rel","mutt-1-13-2-rel","mutt-1-13-3-rel","mutt-1-13-4-rel","mutt-1-13-5-rel","mutt-1-13-rel","mutt-1-14-1-rel","mutt-1-14-2-rel","mutt-1-14-3-rel","mutt-1-14-4-rel","mutt-1-14-5-rel","mutt-1-14-6-rel","mutt-1-14-7-rel","mutt-1-14-rel","mutt-1-3-1-rel","mutt-1-3-10-rel","mutt-1-3-11-rel","mutt-1-3-12-rel","mutt-1-3-13-rel","mutt-1-3-14-rel","mutt-1-3-15-rel","mutt-1-3-16-rel","mutt-1-3-17-rel","mutt-1-3-18-rel","mutt-1-3-19-rel","mutt-1-3-2-rel","mutt-1-3-20-rel","mutt-1-3-21-rel","mutt-1-3-22-1-rel","mutt-1-3-22-rel","mutt-1-3-23-1-rel","mutt-1-3-23-2-rel","mutt-1-3-23-rel","mutt-1-3-24-rel","mutt-1-3-25-rel","mutt-1-3-26-rel","mutt-1-3-27-rel","mutt-1-3-3-rel","mutt-1-3-4-rel","mutt-1-3-5-rel","mutt-1-3-6-rel","mutt-1-3-7-rel","mutt-1-3-8-rel","mutt-1-3-9-rel","mutt-1-3-rel","mutt-1-5-1-rel","mutt-1-5-10-rel","mutt-1-5-11-rel","mutt-1-5-12-rel","mutt-1-5-13-rel","mutt-1-5-14-rel","mutt-1-5-15-rel","mutt-1-5-16-rel","mutt-1-5-17-rel","mutt-1-5-18-rel","mutt-1-5-19-rel","mutt-1-5-2-rel","mutt-1-5-20-rel","mutt-1-5-21-rel","mutt-1-5-22-rel","mutt-1-5-23-rel","mutt-1-5-24-rel","mutt-1-5-3-rel","mutt-1-5-4-rel","mutt-1-5-5-1-rel","mutt-1-5-5-rel","mutt-1-5-6-rel","mutt-1-5-7-rel","mutt-1-5-8-rel","mutt-1-5-9-rel","mutt-1-6-1-rel","mutt-1-6-2-rel","mutt-1-6-rel","mutt-1-7-1-rel","mutt-1-7-2-rel","mutt-1-7-rel","mutt-1-8-1-rel","mutt-1-8-2-rel","mutt-1-8-3-rel","mutt-1-8-rel","mutt-1-9-1-rel","mutt-1-9-2-rel","mutt-1-9-3-rel","mutt-1-9-4-rel","mutt-1-9-5-rel","mutt-1-9-rel","mutt-2-0-1-rel","mutt-2-0-rel","neomutt-20160822","neomutt-20160827","neomutt-20160910","neomutt-20160916","neomutt-20161002","neomutt-20161003","neomutt-20161014","neomutt-20161028","neomutt-20161104","neomutt-20161126","neomutt-20170113","neomutt-20170128","neomutt-20170206","neomutt-20170225","neomutt-20170306","neomutt-20170414","neomutt-20170421","neomutt-20170428","neomutt-20170526","neomutt-20170602","neomutt-20170609","neomutt-20170707","neomutt-20170714","neomutt-20170907","neomutt-20170912","neomutt-20171006","neomutt-20171013","neomutt-20171027","neomutt-20171208","neomutt-20171215","neomutt-20180223","neomutt-20180323","neomutt-20180512","neomutt-20180622","neomutt-20180716","post-type-punning-patch","pre-type-punning-patch"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2020-11-20"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28896.json","vanir_signatures":[{"digest":{"line_hashes":["97681317069022648633321322422684727806","36785202708057762196942193442338311117","253597231540842366146788943724371966919","230559841208464531920669666737772608998","280466068186791739870138129894669237743","262021813882487199219046830141767096521"],"threshold":0.9},"source":"https://gitlab.com/muttmua/mutt@04b06aaa3e0cc0022b9b01dbca2863756ebbf59a","id":"CVE-2020-28896-22711cd6","signature_version":"v1","target":{"file":"imap/imap.c"},"deprecated":false,"signature_type":"Line"},{"digest":{"length":1744,"function_hash":"202502016177147320487911206437497836801"},"source":"https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06","id":"CVE-2020-28896-310f4177","signature_version":"v1","target":{"function":"imap_open_connection","file":"imap/imap.c"},"deprecated":false,"signature_type":"Function"},{"digest":{"line_hashes":["286078888561440764963754111001874170214","138677912911684076071538171270727982409","8469493152676353125235616666611982766","151210996820641048238653260975568679385","197676711550233223041620179508224361397","243278584382770291463985835770676195496","49304822103842324147419956674017035501","258071259237864162367846400173725670645","158969505239337468576499793844749391902","198714526768278661163508272892097614317","81681430369553413535836371526730707296","312226577905102150186839279536172437","94155202352352823451083128446795154982","198714526768278661163508272892097614317","81681430369553413535836371526730707296","339158229765175876716905195750260807423","291147170475806138760391662777557853853","226677642943443396717113156868587596264","307552207789802678498210380374844441654","105762104976082084892920596628612734565","214200509669293428569750858998133236569","56322473773121290834197305658162405616","89938834577386823368124135839803635555","56309300704248097572272131029656428187"],"threshold":0.9},"source":"https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06","id":"CVE-2020-28896-7565f4be","signature_version":"v1","target":{"file":"imap/imap.c"},"deprecated":false,"signature_type":"Line"},{"digest":{"length":1763,"function_hash":"4204636771050573989830569457519837991"},"source":"https://gitlab.com/muttmua/mutt@04b06aaa3e0cc0022b9b01dbca2863756ebbf59a","id":"CVE-2020-28896-9803c123","signature_version":"v1","target":{"function":"imap_open_connection","file":"imap/imap.c"},"deprecated":false,"signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}