PT-2021-3385 · Dovecot+9 · Dovecot+9

Damian Poddebniak

+1

·

Published

2021-06-21

·

Updated

2025-01-30

·

CVE-2021-33515

CVSS v2.0

5.8

Medium

VectorAV:N/AC:M/Au:N/C:P/I:P/A:N
Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.3.15
Description The issue is related to the submission service in Dovecot, which allows STARTTLS command injection in lib-smtp. This can lead to sensitive information being redirected to an attacker-controlled address. The vulnerability is also associated with incorrect neutralization of special elements in output used by the incoming component, potentially allowing a remote attacker to disclose user credentials.
Recommendations For versions prior to 2.3.15, update to version 2.3.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the submission service until a patch is applied. Avoid using the STARTTLS command in lib-smtp until the issue is resolved.

Fix

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74

Related Identifiers

ALSA-2022:1950
ALT-PU-2021-2500
ALT-PU-2021-2537
ALT-PU-2021-2548
ALT-PU-2021-2579
AZL-7196
BDU:2021-03236
CESA-2022_1950
CVE-2021-33515
DLA-3122-1
MGASA-2021-0557
OESA-2021-1270
OPENSUSE-SU-2021:0920-1
OPENSUSE-SU-2021:2123-1
OPENSUSE-SU-2021_0920-1
OPENSUSE-SU-2021_2123-1
OPENSUSE-SU-2024:10726-1
OPENSUSE-SU-2025:14715-1
RHSA-2022:1950
RHSA-2022_1950
RLSA-2022:1950
SUSE-SU-2021:2122-1
SUSE-SU-2021:2123-1
SUSE-SU-2021:2124-1
USN-4993-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Dovecot
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu