CVE-2024-49394

Publication date 12 November 2024

Last updated 16 January 2025

Ubuntu priority

Cvss 3 Severity Score

In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender.

Read the notes from the security team

Why is this CVE low priority?

This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
mutt	24.10 oracular	Ignored no fix planned
	24.04 LTS noble	Ignored no fix planned
	22.04 LTS jammy	Ignored no fix planned
	20.04 LTS focal	Ignored no fix planned
	18.04 LTS bionic	Ignored no fix planned
	16.04 LTS xenial	Ignored no fix planned
neomutt	24.10 oracular	Vulnerable
	24.04 LTS noble	Fixed 20231103+dfsg1-1ubuntu0.1~esm1 Ubuntu Pro
	22.04 LTS jammy	Fixed 20211029+dfsg1-1ubuntu0.1~esm1 Ubuntu Pro
	20.04 LTS focal	Fixed 20191207+dfsg.1-1.1ubuntu0.1~esm1 Ubuntu Pro
	18.04 LTS bionic	Vulnerable

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes

john-breton

Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, and CVE-2024-49395.

Severity score breakdown

Parameter	Value
Base score	5.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Related Ubuntu Security Notices (USN)

USN-7204-1
NeoMutt vulnerabilities
15 January 2025