A security issue has been found in Dovecot before version 18.104.22.168. An on-path attacker could inject plaintext commands before the STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected. As a result, an attacker can potentially steal user credentials and emails. The attacker needs to have sending permissions on the submission server (a valid username and password).
|22 Jun 2021||ASA-202106-56||AVG-2087||dovecot||High||information disclosure|