{"id":"CVE-2018-14355","details":"An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/util.c mishandles \"..\" directory traversal in a mailbox name.","modified":"2026-04-16T06:15:18.847296647Z","published":"2018-07-17T17:29:00.590Z","related":["SUSE-SU-2018:2084-1","SUSE-SU-2018:2085-1","SUSE-SU-2018:2403-1","SUSE-SU-2019:1196-1","openSUSE-SU-2024:11069-1","openSUSE-SU-2024:11079-1"],"references":[{"type":"ADVISORY","url":"https://neomutt.org/2018/07/16/release"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201810-07"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3719-3/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4277"},{"type":"ADVISORY","url":"http://www.mutt.org/news.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html"},{"type":"FIX","url":"https://github.com/neomutt/neomutt/commit/57971dba06346b2d7179294f4528b8d4427a7c5d"},{"type":"FIX","url":"https://gitlab.com/muttmua/mutt/commit/31eef6c766f47df8281942d19f76e35f475c781d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/muttmua/mutt","events":[{"introduced":"0"},{"fixed":"ed9d7727dc705754871e31cb41420f0ea956495b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.10.1"}]}},{"type":"GIT","repo":"https://github.com/neomutt/neomutt","events":[{"introduced":"0"},{"fixed":"6a147a62cf39c2a12cf2e96a8a62f378164548fa"},{"fixed":"57971dba06346b2d7179294f4528b8d4427a7c5d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"20180716"}]}},{"type":"GIT","repo":"https://gitlab.com/muttmua/mutt","events":[{"introduced":"0"},{"fixed":"31eef6c766f47df8281942d19f76e35f475c781d"}]}],"versions":["mutt-0-92-10i","mutt-0-92-11i","mutt-0-92-9i","mutt-0-93-unstable","mutt-0-94-10i-rel","mutt-0-94-13-rel","mutt-0-94-14-rel","mutt-0-94-15-rel","mutt-0-94-16i-rel","mutt-0-94-17i-rel","mutt-0-94-18-rel","mutt-0-94-5i-rel","mutt-0-94-6i-rel","mutt-0-94-7i-rel","mutt-0-94-8i-rel","mutt-0-94-9i-p1","mutt-0-94-9i-rel","mutt-0-95-rel","mutt-0-96-1-rel","mutt-0-96-2-slightly-post-release","mutt-0-96-3-rel","mutt-0-96-4-rel","mutt-0-96-5-rel","mutt-0-96-6-rel","mutt-0-96-7-rel","mutt-0-96-8-rel","mutt-0-96-rel","mutt-1-1-1-1-rel","mutt-1-1-1-2-rel","mutt-1-1-1-rel","mutt-1-1-10-rel","mutt-1-1-11-rel","mutt-1-1-12-rel","mutt-1-1-13-rel","mutt-1-1-14-rel","mutt-1-1-2-rel","mutt-1-1-3-rel","mutt-1-1-4-rel","mutt-1-1-5-rel","mutt-1-1-6-rel","mutt-1-1-7-rel","mutt-1-1-8-rel","mutt-1-1-9-rel","mutt-1-1-rel","mutt-1-10-rel","mutt-1-3-1-rel","mutt-1-3-10-rel","mutt-1-3-11-rel","mutt-1-3-12-rel","mutt-1-3-13-rel","mutt-1-3-14-rel","mutt-1-3-15-rel","mutt-1-3-16-rel","mutt-1-3-17-rel","mutt-1-3-18-rel","mutt-1-3-19-rel","mutt-1-3-2-rel","mutt-1-3-20-rel","mutt-1-3-21-rel","mutt-1-3-22-1-rel","mutt-1-3-22-rel","mutt-1-3-23-1-rel","mutt-1-3-23-2-rel","mutt-1-3-23-rel","mutt-1-3-24-rel","mutt-1-3-25-rel","mutt-1-3-26-rel","mutt-1-3-27-rel","mutt-1-3-3-rel","mutt-1-3-4-rel","mutt-1-3-5-rel","mutt-1-3-6-rel","mutt-1-3-7-rel","mutt-1-3-8-rel","mutt-1-3-9-rel","mutt-1-3-rel","mutt-1-5-1-rel","mutt-1-5-15-rel","mutt-1-5-16-rel","mutt-1-5-17-rel","mutt-1-5-18-rel","mutt-1-5-19-rel","mutt-1-5-2-rel","mutt-1-5-20-rel","mutt-1-5-21-rel","mutt-1-5-22-rel","mutt-1-5-24-rel","mutt-1-5-3-rel","mutt-1-5-4-rel","mutt-1-5-5-1-rel","mutt-1-5-5-rel","mutt-1-5-6-rel","mutt-1-6-rel","mutt-1-7-rel","mutt-1-8-rel","mutt-1-9-rel","neomutt-20160822","neomutt-20160827","neomutt-20160910","neomutt-20160916","neomutt-20161002","neomutt-20161003","neomutt-20161014","neomutt-20161028","neomutt-20161104","neomutt-20161126","neomutt-20170113","neomutt-20170128","neomutt-20170206","neomutt-20170225","neomutt-20170306","neomutt-20170414","neomutt-20170421","neomutt-20170428","neomutt-20170526","neomutt-20170602","neomutt-20170609","neomutt-20170707","neomutt-20170714","neomutt-20170907","neomutt-20170912","neomutt-20171006","neomutt-20171013","neomutt-20171027","neomutt-20171208","neomutt-20171215","neomutt-20180223","neomutt-20180323","neomutt-20180512","neomutt-20180622","post-type-punning-patch","pre-type-punning-patch"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["141797331147250530911102648456595779174","2704004268200097547417893485547819295","273163297609346434882187086790240664951"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/neomutt/neomutt/commit/57971dba06346b2d7179294f4528b8d4427a7c5d","id":"CVE-2018-14355-059f90cb","target":{"file":"imap/util.c"},"signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["305912007481164313825398694367915039689","269758642847245179727498025429580904529","195401893343723787680960476151785971447","72380641635660808060694716956251780362","141797331147250530911102648456595779174","2704004268200097547417893485547819295","97868484814233050309242126571929676450"]},"id":"CVE-2018-14355-6299f1fd","signature_version":"v1","source":"https://gitlab.com/muttmua/mutt@31eef6c766f47df8281942d19f76e35f475c781d","deprecated":false,"target":{"file":"imap/util.c"},"signature_type":"Line"},{"digest":{"function_hash":"93499585419513541823634445214594359186","length":566},"deprecated":false,"signature_version":"v1","source":"https://gitlab.com/muttmua/mutt@31eef6c766f47df8281942d19f76e35f475c781d","id":"CVE-2018-14355-94bab218","target":{"function":"imap_hcache_open","file":"imap/util.c"},"signature_type":"Function"},{"digest":{"function_hash":"36220242076158421006655775108377330777","length":560},"id":"CVE-2018-14355-9f4ae404","signature_version":"v1","source":"https://github.com/neomutt/neomutt/commit/57971dba06346b2d7179294f4528b8d4427a7c5d","deprecated":false,"target":{"function":"imap_hcache_open","file":"imap/util.c"},"signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14355.json","vanir_signatures_modified":"2026-04-11T12:27:46Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}