vulnerability
Arch Linux: Silent downgrade (CVE-2020-28896)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:N/AC:H/Au:N/C:P/I:N/A:N) | Nov 23, 2020 | Jul 11, 2025 | Nov 27, 2025 |
Severity
3
CVSS
(AV:N/AC:H/Au:N/C:P/I:N/A:N)
Published
Nov 23, 2020
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
A security issue has been found in Mutt before version 2.0.2 and NeoMutt before version 20201120 that could result in authentication credentials being sent over an unencrypted connection, without $ssl_force_tls being consulted. During connection, if the server provided an illegal initial response, the application "bailed", but did not actually close the connection. The calling code relied on the connection status to decide to continue with authentication, instead of checking the "bail" return value.
Solution
arch-linux-upgrade-latest
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.