vulnerability
Oracle Linux: CVE-2021-33515: ELSA-2022-1950: dovecot security update (MODERATE) (Multiple Advisories)
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
4 | (AV:N/AC:H/Au:S/C:P/I:P/A:N) | Jun 21, 2021 | May 18, 2022 | Nov 27, 2024 |
Severity
4
CVSS
(AV:N/AC:H/Au:S/C:P/I:P/A:N)
Published
Jun 21, 2021
Added
May 18, 2022
Modified
Nov 27, 2024
Description
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords.
It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords.
Solution(s)
oracle-linux-upgrade-dovecotoracle-linux-upgrade-dovecot-develoracle-linux-upgrade-dovecot-mysqloracle-linux-upgrade-dovecot-pgsqloracle-linux-upgrade-dovecot-pigeonhole

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.