vulnerability
Oracle Linux: CVE-2021-33515: ELSA-2022-1950: dovecot security update (MODERATE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | Jun 21, 2021 | May 18, 2022 | Dec 3, 2025 |
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
Jun 21, 2021
Added
May 18, 2022
Modified
Dec 3, 2025
Description
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords.
It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords.
Solutions
oracle-linux-upgrade-dovecotoracle-linux-upgrade-dovecot-develoracle-linux-upgrade-dovecot-mysqloracle-linux-upgrade-dovecot-pgsqloracle-linux-upgrade-dovecot-pigeonhole
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.