CVE-2009-1390 — Improper Authentication in Mutt

CWE-287 — Improper Authentication8 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

0.4%

top 37.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mutt Debian Mutt

Timeline

PublishedJun 16

Latest updateNov 27

Description

Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/mutt< mutt 1.5.20-1 (bookworm)

▶Debianmutt/mutt< 1.5.20-1+3

▶NVDmutt/mutt1.5.19

Patches

Patch: dev.mutt.org ↗Patch: www.openwall.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-j2p5-74xw-f54p: Mutt 1↗2022-05-02

▶

OSV

CVE-2009-1390: Mutt 1↗2009-06-16

▶

📋Vendor Advisories

Red Hat

Mutt 1.5.19 SSL chain verification flaw↗2009-05-27

▶

Debian

CVE-2009-1390: mutt - Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ss...↗2009

▶

📄Research Papers

arXiv

UniBOM -- A Unified SBOM Analysis and Visualisation Tool for IoT Systems and Beyond↗2025-11-27

▶

💬Community

Bugzilla

CVE-2009-3637 alienarena: Buffer overflow by processing specially-crafted UDP reply from game server (ACE)↗2009-10-23

▶

Bugzilla

CVE-2009-1390 Mutt 1.5.19 SSL chain verification flaw↗2009-06-10

▶