CVE-2011-1429 — Improper Input Validation in Mutt

CWE-20 — Improper Input Validation9 documents8 sources

Severity

5.8MEDIUMNVD

OSV6.8

EPSS

0.2%

top 52.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mutt Debian Mutt

Timeline

PublishedMar 16

Latest updateMay 17

Description

Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶debiandebian/mutt< mutt 1.5.21-5 (bookworm)

▶Debianmutt/mutt< 1.5.21-5+3

Patches

Patch: seclists.org ↗Patch: seclists.org ↗

🔴Vulnerability Details

GHSA

GHSA-h64v-56v4-2q6j: Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X↗2022-05-17

▶

OSV

CVE-2011-1429: Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X↗2011-03-16

▶

💥Exploits & PoCs

Exploit-DB

Symantec System Center Alert Management System - 'xfr.exe' Arbitrary Command Execution (Metasploit)↗2011-08-19

▶

📋Vendor Advisories

Ubuntu

Mutt vulnerability↗2011-09-29

▶

Red Hat

mutt: SSL host name check may be skipped when verifying certificate chain↗2011-03-08

▶

Debian

CVE-2011-1429: mutt - Mutt does not verify that the smtps server hostname matches the domain name of t...↗2011

▶

💬Community

Bugzilla

CVE-2011-1429 mutt: improper verification of X.509 certificates can lead to MITM attacks on SMTP SSL connections [fedora-all]↗2011-03-17

▶

Bugzilla

CVE-2011-1429 mutt: SSL host name check may be skipped when verifying certificate chain↗2011-03-17

▶