Code injection in Dovecot - CVE-2021-33515

 

Code injection in Dovecot - CVE-2021-33515

Published: June 21, 2021


Vulnerability identifier: #VU54286
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-33515
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Dovecot
Affected software:
Dovecot

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in the way STARTTLS command in processed by the SMTP server. the commands sent during the session before the STARTTLS command are queued and executed later, after the STARTTLS finished with the client. As a result, a remote attacker can perform a MitM attack and gain access to victim's emails.


How to mitigate CVE-2021-33515

Install updates from vendor's website.

Sources