CVE-2021-33515

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

References

Affected packages

Git / github.com/dovecot/core

Affected ranges

Type: GIT
Repo: https://github.com/dovecot/core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9f0cfb6426ad9384f24dab0e6d33806b7f2a2eaf

Affected versions

1.*

1.1.alpha1

1.1.alpha2

1.1.alpha4

1.1.alpha5

1.1.alpha6

1.1.beta1

1.1.beta10

1.1.beta11

1.1.beta12

1.1.beta13

1.1.beta14

1.1.beta16

1.1.beta2

1.1.beta3

1.1.beta4

1.1.beta5

1.1.beta6

1.1.beta8

1.1.beta9

1.1.rc1

1.1.rc2

1.1.rc3

1.1.rc4

1.1.rc5

1.1.rc6

1.1.rc7

1.1.rc8

1.2.alpha1

1.2.alpha2

1.2.alpha3

1.2.alpha4

1.2.alpha5

1.2.beta1

1.2.beta2

1.2.beta3

1.2.beta4

1.2.rc1

2.*

2.0.0

2.0.1

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.alpha1

2.0.alpha2

2.0.alpha3

2.0.beta1

2.0.beta2

2.0.beta3

2.0.beta4

2.0.beta5

2.0.beta6

2.0.rc1

2.0.rc2

2.0.rc3

2.0.rc4

2.0.rc5

2.0.rc6

2.1.0

2.1.1

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.alpha1

2.1.alpha2

2.1.beta1

2.1.rc1

2.1.rc2

2.1.rc3

2.1.rc4

2.1.rc5

2.1.rc6

2.1.rc7

2.2.0

2.2.1

2.2.10

2.2.11

2.2.12

2.2.13

2.2.13.rc1

2.2.14

2.2.14.rc1

2.2.15

2.2.16

2.2.16.rc1

2.2.17

2.2.17.rc1

2.2.17.rc2

2.2.18

2.2.19

2.2.19.rc1

2.2.19.rc2

2.2.2

2.2.20

2.2.20.rc1

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.alpha1

2.2.beta1

2.2.beta2

2.2.rc1

2.2.rc2

2.2.rc3

2.2.rc4

2.2.rc5

2.2.rc6

2.2.rc7

2.3.14

2.3.14.rc1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-33515.json"