CVE-2024-49393 — Improper Verification of Cryptographic Signature in Redhat Enterprise Linux

CWE-347 — Improper Verification of Cryptographic Signature7 documents7 sources
Severity
5.9MEDIUMNVD
CNA6.5
EPSS
0.1%
top 75.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NeomuttRedhat Enterprise Linux
Timeline
PublishedNov 12
Latest updateJan 15

Description

In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of the recipients to compromise message confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages1 packages

â–¶Debianneomutt/neomutt< 20241002+dfsg-1+1

Also affects: Enterprise Linux 8.0, 9.0

🔴Vulnerability Details

3
CVEList
Mutt: neomutt: to and cc email header fields are not protected by cryptographic signing↗2024-11-12
â–¶
GHSA
GHSA-hchw-xwhf-3qvm: In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to chan↗2024-11-12
â–¶
OSV
CVE-2024-49393: In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to chan↗2024-11-12
â–¶

📋Vendor Advisories

3
Ubuntu
NeoMutt vulnerabilities↗2025-01-15
â–¶
Red Hat
mutt: neomutt: To and Cc email header fields are not protected by cryptographic signing↗2024-11-11
â–¶
Debian
CVE-2024-49393: mutt - In neomutt and mutt, the To and Cc email headers are not validated by cryptograp...↗2024
â–¶
CVE-2024-49393 — Redhat Enterprise Linux vulnerability | cvebase