vulnerability

Oracle Linux: CVE-2021-33515: ELSA-2022-1950: dovecot security update (MODERATE) (Multiple Advisories)

Severity
4
CVSS
(AV:N/AC:H/Au:S/C:P/I:P/A:N)
Published
Jun 21, 2021
Added
May 18, 2022
Modified
Nov 27, 2024

Description

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords.

Solution(s)

oracle-linux-upgrade-dovecotoracle-linux-upgrade-dovecot-develoracle-linux-upgrade-dovecot-mysqloracle-linux-upgrade-dovecot-pgsqloracle-linux-upgrade-dovecot-pigeonhole
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.