CVE-2024-49393
Publication date 12 November 2024
Last updated 16 December 2024
Ubuntu priority
In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of the recipients to compromise message confidentiality.
Read the notes from the security team
Why is this CVE low priority?
This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mutt | 24.10 oracular | Ignored no fix planned |
| 24.04 LTS noble | Ignored no fix planned | |
| 22.04 LTS jammy | Ignored no fix planned | |
| 20.04 LTS focal | Ignored no fix planned | |
| 18.04 LTS bionic | Ignored no fix planned | |
| 16.04 LTS xenial | Ignored no fix planned | |
| neomutt | 24.10 oracular |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
Notes
john-breton
Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, and CVE-2024-49395.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.9 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-49393
- https://bugzilla.redhat.com/show_bug.cgi?id=2325317
- https://access.redhat.com/security/cve/CVE-2024-49393
- https://gitlab.com/muttmua/mutt/-/issues/490#note_2209448655
- http://mutt.org/doc/manual/#crypt-protected-headers-read
- https://github.com/neomutt/neomutt/commit/913a991a5a8a000c0acc761dd8c9b76eefabfbea