vulnerability
Oracle Linux: CVE-2021-33515: ELSA-2022-1950: dovecot security update (MODERATE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | Jun 21, 2021 | May 18, 2022 | Dec 3, 2025 |
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
Jun 21, 2021
Added
May 18, 2022
Modified
Dec 3, 2025
Description
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords.
It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords.
Solutions
oracle-linux-upgrade-dovecotoracle-linux-upgrade-dovecot-develoracle-linux-upgrade-dovecot-mysqloracle-linux-upgrade-dovecot-pgsqloracle-linux-upgrade-dovecot-pigeonhole
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.