CVE-2024-49394

In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2024-49394	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2325330	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mutt:mutt:-:::::::*
	cpe:2.3:a:neomutt:neomutt:-:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

History

No history.

Information

Published : 2024-11-12 03:15

Updated : 2024-11-14 13:38

NVD link : CVE-2024-49394

Mitre link : CVE-2024-49394

CVE.ORG link : CVE-2024-49394

JSON object : View

Products Affected

redhat

enterprise_linux

mutt

mutt

neomutt

neomutt

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2024-49394", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-11-12T03:15:03.677", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-49394", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325330", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender."}, {"lang": "es", "value": "En mutt y neomutt, el campo de encabezado de correo electr\u00f3nico In-Reply-To no est\u00e1 protegido por firma criptogr\u00e1fica, lo que permite a un atacante reutilizar un mensaje de correo electr\u00f3nico no cifrado pero firmado para hacerse pasar por el remitente original."}], "lastModified": "2024-11-14T13:38:04.143", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mutt:mutt:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37CCB5EA-B0AB-4082-BCFC-A437D0DCF57D"}, {"criteria": "cpe:2.3:a:neomutt:neomutt:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F74FCE2-5FC0-4FA7-9B71-DFA849AF5545"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}