An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription.
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
| Link | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2018:2526 | third party advisory vendor advisory |
| https://gitlab.com/muttmua/mutt/commit/185152818541f5cdc059cbff3f3e8b654fc27c1d | third party advisory patch |
| https://usn.ubuntu.com/3719-3/ | third party advisory vendor advisory |
| https://www.debian.org/security/2018/dsa-4277 | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html | third party advisory mailing list |
| https://github.com/neomutt/neomutt/commit/e52393740334443ae0206cab2d7caef381646725 | third party advisory patch |
| https://security.gentoo.org/glsa/201810-07 | third party advisory vendor advisory |
| http://www.mutt.org/news.html | release notes vendor advisory |
| https://neomutt.org/2018/07/16/release | release notes vendor advisory |
| https://usn.ubuntu.com/3719-1/ | third party advisory vendor advisory |