CVE-2024-49395: 
Linux Debian vulnerability analysis and mitigation

In mutt and neomutt email clients, a vulnerability (CVE-2024-49395) has been identified where PGP encryption does not utilize the --hidden-recipient mode, potentially exposing the Bcc email header field through recipient information inference. The vulnerability was reported on November 11, 2024, affecting both mutt and neomutt mail clients across various operating systems including Red Hat Enterprise Linux 8.0 and 9.0 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This indicates network accessibility, low attack complexity, no privileges required, no user interaction needed, unchanged scope, low confidentiality impact, and no impact on integrity or availability. The vulnerability is classified under CWE-1230 (Exposure of Sensitive Information Through Metadata) (Red Hat CVE).

The vulnerability could lead to the exposure of Bcc (blind carbon copy) recipients in encrypted emails, compromising the confidentiality of email communications. This information leakage could reveal the identity of recipients who were intended to remain hidden from other recipients (Ubuntu CVE).

The Mutt project has indicated they do not plan to address this vulnerability, considering it a documented limitation rather than a security issue. Neomutt is planning to implement a fix, though it is considered low priority with a potential release date around April 2025. Currently, there are no official workarounds available (Ubuntu CVE).

The security community has generally classified this as a low-priority issue, with Ubuntu and other distributions marking it as 'low' priority. The consensus appears to be that this is more of an enhancement request rather than a critical security vulnerability (Ubuntu CVE).