CVE-2024-49395
Publication date 12 November 2024
Last updated 16 December 2024
Ubuntu priority
In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info.
Read the notes from the security team
Why is this CVE low priority?
This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mutt | 24.10 oracular | Ignored no fix planned |
| 24.04 LTS noble | Ignored no fix planned | |
| 22.04 LTS jammy | Ignored no fix planned | |
| 20.04 LTS focal | Ignored no fix planned | |
| 18.04 LTS bionic | Ignored no fix planned | |
| 16.04 LTS xenial | Ignored no fix planned | |
| neomutt | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
Notes
john-breton
Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, and CVE-2024-49395. Neomutt is planning to fix CVE-2024-49395, but it is low priority and no concrete date for a fix was stated (possibly April 2025).
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-49395
- https://bugzilla.redhat.com/show_bug.cgi?id=2325332
- https://access.redhat.com/security/cve/CVE-2024-49395
- https://gitlab.com/muttmua/mutt/-/issues/490#note_2209448655
- http://mutt.org/doc/manual/#crypt-protected-headers-read
- https://github.com/neomutt/neomutt/issues/4234