CVE-2021-33515

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

Published: Jun 28, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-33515
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
dovecot / dovecot	-	2.3.14.1
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x
debian / debian_linux	10.0	10.0.x

https://dovecot.org/security
https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/
https://lists.fedoraproject.org/archives/list/[email protected]/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/
https://security.gentoo.org/glsa/202107-41
https://www.openwall.com/lists/oss-security/2021/06/28/2

Vulnerability Database

289,697

CVE-2021-33515