{"id":"UBUNTU-CVE-2024-49394","details":"In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender.","modified":"2026-02-04T03:02:19.571002Z","published":"2024-11-12T03:15:00Z","related":["USN-7204-1"],"upstream":["CVE-2024-49394"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-49394"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-49394"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2325330"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2024-49394"},{"type":"REPORT","url":"https://gitlab.com/muttmua/mutt/-/issues/490#note_2209448655"},{"type":"REPORT","url":"http://mutt.org/doc/manual/#crypt-protected-headers-read"},{"type":"REPORT","url":"https://github.com/neomutt/neomutt/commit/13cfc6f98322eafdc30ecc4c15999d401950a1d9"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7204-1"}],"affected":[{"package":{"name":"mutt","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/mutt@1.5.24-1ubuntu0.6+esm3?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.23-3.1ubuntu1","1.5.23-3.1ubuntu2","1.5.24-1","1.5.24-1build1","1.5.24-1ubuntu0.1","1.5.24-1ubuntu0.2","1.5.24-1ubuntu0.3","1.5.24-1ubuntu0.4","1.5.24-1ubuntu0.5","1.5.24-1ubuntu0.6","1.5.24-1ubuntu0.6+esm2","1.5.24-1ubuntu0.6+esm3"],"ecosystem_specific":{"priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"1.5.24-1ubuntu0.6+esm3","binary_name":"mutt"},{"binary_version":"1.5.24-1ubuntu0.6+esm3","binary_name":"mutt-patched"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}},{"package":{"name":"mutt","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/mutt@1.9.4-3ubuntu0.6+esm1?arch=source&distro=esm-infra/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.8.3+neomutt20170609-2build1","1.9.1-2","1.9.1-3","1.9.1-4","1.9.1-5","1.9.2-1","1.9.3-1","1.9.4-2","1.9.4-3","1.9.4-3ubuntu0.1","1.9.4-3ubuntu0.2","1.9.4-3ubuntu0.3","1.9.4-3ubuntu0.4","1.9.4-3ubuntu0.5","1.9.4-3ubuntu0.6","1.9.4-3ubuntu0.6+esm1"],"ecosystem_specific":{"priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"1.9.4-3ubuntu0.6+esm1","binary_name":"mutt"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}},{"package":{"name":"neomutt","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/neomutt@20171215+dfsg.1-1ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["20171027-1","20171027-2","20171027+dfsg.1-1","20171027+dfsg.1-2","20171027+dfsg.1-4","20171208+dfsg.1-1","20171208+dfsg.1-2","20171215+dfsg.1-1","20171215+dfsg.1-1ubuntu0.1~esm1"],"ecosystem_specific":{"priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"20171215+dfsg.1-1ubuntu0.1~esm1","binary_name":"neomutt"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}},{"package":{"name":"mutt","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/mutt@1.13.2-1ubuntu0.6?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.10.1-2.1","1.12.2-1","1.12.2-2","1.13.0-1","1.13.2-1","1.13.2-1ubuntu0.1","1.13.2-1ubuntu0.2","1.13.2-1ubuntu0.3","1.13.2-1ubuntu0.4","1.13.2-1ubuntu0.5","1.13.2-1ubuntu0.6"],"ecosystem_specific":{"priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"1.13.2-1ubuntu0.6","binary_name":"mutt"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}},{"package":{"name":"neomutt","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/neomutt@20191207+dfsg.1-1.1ubuntu0.1~esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20191207+dfsg.1-1.1ubuntu0.1~esm1"}]}],"versions":["20180716+dfsg.1-1.2","20191111+dfsg.1-1","20191207+dfsg.1-1.1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"20191207+dfsg.1-1.1ubuntu0.1~esm1","binary_name":"neomutt"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}},{"package":{"name":"mutt","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/mutt@2.1.4-1ubuntu1.2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.0.5-4.1build1","2.1.3-1","2.1.4-1","2.1.4-1build1","2.1.4-1ubuntu1.1","2.1.4-1ubuntu1.2"],"ecosystem_specific":{"priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"2.1.4-1ubuntu1.2","binary_name":"mutt"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}},{"package":{"name":"neomutt","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/neomutt@20211029+dfsg1-1ubuntu0.1~esm1?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20211029+dfsg1-1ubuntu0.1~esm1"}]}],"versions":["20201127+dfsg.1-1.2","20211029+dfsg1-1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"20211029+dfsg1-1ubuntu0.1~esm1","binary_name":"neomutt"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}},{"package":{"name":"mutt","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/mutt@2.2.12-0.1build4?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.2.9-1","2.2.9-1ubuntu0.23.10.1","2.2.12-0.1","2.2.12-0.1build2","2.2.12-0.1build3","2.2.12-0.1build4"],"ecosystem_specific":{"priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"2.2.12-0.1build4","binary_name":"mutt"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}},{"package":{"name":"neomutt","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/neomutt@20231103+dfsg1-1ubuntu0.1~esm1?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20231103+dfsg1-1ubuntu0.1~esm1"}]}],"versions":["20220429+dfsg1-4.1","20231103+dfsg1-1","20231103+dfsg1-1build2","20231103+dfsg1-1build3"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"20231103+dfsg1-1ubuntu0.1~esm1","binary_name":"neomutt"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}},{"package":{"name":"mutt","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/mutt@2.2.13-1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.2.13-1"],"ecosystem_specific":{"priority_reason":"This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.","binaries":[{"binary_version":"2.2.13-1","binary_name":"mutt"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-49394.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"low"}]}