Command injection in mutt (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-14357 |
| CWE-ID | CWE-77 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
mutt (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Command injection
EUVDB-ID: #VU14143
Risk: Low
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-14357
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to command injection. A remote attacker can use IMAP servers to inject and execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription.
MitigationInstall update from vendor's website.
Vulnerable software versionsmutt (Alpine package): 1.5.21-r0 - 1.10.0-r0
CPE2.3- cpe:2.3:a:alpine:mutt_alpine_package:1.5.21-r0:*:*:*:*:alpine_linux:*:2.4
- cpe:2.3:a:alpine:mutt_alpine_package:1.5.22-r0:*:*:*:*:alpine_linux:*:2.6
- cpe:2.3:a:alpine:mutt_alpine_package:1.5.23-r0:*:*:*:*:alpine_linux:*:2.4
https://git.alpinelinux.org/aports/commit/?id=0d3886cdea880fe65aff164040ab54f9e2d5ee93
https://git.alpinelinux.org/aports/commit/?id=7b76ef5a44a34f2aa0ab6dcbd05653a7f384d5cd
https://git.alpinelinux.org/aports/commit/?id=8096bf545fbce05d5535cb01173187a08a4e7f14
https://git.alpinelinux.org/aports/commit/?id=e16a7290cad51651c51b16468159e0bb5a11f234
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
