An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
| Link | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2018:2526 | third party advisory vendor advisory |
| https://gitlab.com/muttmua/mutt/commit/185152818541f5cdc059cbff3f3e8b654fc27c1d | third party advisory patch |
| https://usn.ubuntu.com/3719-3/ | third party advisory vendor advisory |
| https://www.debian.org/security/2018/dsa-4277 | third party advisory vendor advisory |
| https://github.com/neomutt/neomutt/commit/95e80bf9ff10f68cb6443f760b85df4117cb15eb | third party advisory patch |
| https://usn.ubuntu.com/3719-2/ | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html | third party advisory mailing list |
| https://security.gentoo.org/glsa/201810-07 | third party advisory vendor advisory |
| http://www.securityfocus.com/bid/104925 | vdb entry third party advisory |
| http://www.mutt.org/news.html | release notes vendor advisory |
| https://neomutt.org/2018/07/16/release | release notes vendor advisory |
| https://usn.ubuntu.com/3719-1/ | third party advisory vendor advisory |