CVE-2023-4874 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
GitLab	CNA	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Vendor	Product	Version
mutt	mutt	1.5.2 < 𝑥 < 2.2.12
debian	debian_linux	10.0
debian	debian_linux	11.0
debian	debian_linux	12.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

mutt

bullseye (security)	2.0.5-4.1+deb11u3 fixed
bullseye	2.0.5-4.1+deb11u3 fixed
bookworm	2.2.12-0.1~deb12u1 fixed
bookworm (security)	2.2.9-1+deb12u1 fixed
sid	2.2.13-1 fixed
trixie	2.2.13-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

mutt

mantic	Fixed 2.2.9-1ubuntu0.23.10.1 released
lunar	Fixed 2.2.9-1ubuntu0.23.04.1 released
jammy	Fixed 2.1.4-1ubuntu1.2 released
focal	Fixed 1.13.2-1ubuntu0.6 released
bionic	Fixed 1.9.4-3ubuntu0.6+esm1 released
xenial	Fixed 1.5.24-1ubuntu0.6+esm3 released
trusty	ignored

Common Weakness Enumeration

CWE-475 - Undefined Behavior for Input to API
The behavior of this function is undefined unless its control parameter is set to a specific value.
CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555.patch

https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0.patch

http://www.openwall.com/lists/oss-security/2023/09/26/6

https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555.patch

https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0.patch

https://lists.debian.org/debian-lts-announce/2023/09/msg00021.html

https://www.debian.org/security/2023/dsa-5494