CVE-2021-33515 - log back

CVE-2021-33515 edited at 28 Jun 2021 10:05:27
References
https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
+ https://www.openwall.com/lists/oss-security/2021/06/28/2
https://github.com/dovecot/core/commit/65bd1a27a361545c9ccf405b955c72a9c4d29b38
CVE-2021-33515 edited at 22 Jun 2021 15:24:13
Description
- A security issue has been found in Dovecot before version 2.3.14.1. An on-path attacker could inject plaintext commands before the STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected. As a result, an attacker can potentially steal user credentials and mails. The attacker needs to have sending permissions on the submission server (a valid username and password).
+ A security issue has been found in Dovecot before version 2.3.14.1. An on-path attacker could inject plaintext commands before the STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected. As a result, an attacker can potentially steal user credentials and emails. The attacker needs to have sending permissions on the submission server (a valid username and password).
CVE-2021-33515 edited at 22 Jun 2021 13:49:54
Severity
- Medium
+ High
Type
- Man-in-the-middle
+ Information disclosure
CVE-2021-33515 edited at 21 Jun 2021 14:58:01
References
https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
+ https://github.com/dovecot/core/commit/65bd1a27a361545c9ccf405b955c72a9c4d29b38
CVE-2021-33515 edited at 21 Jun 2021 14:50:49
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Man-in-the-middle
Description
+ A security issue has been found in Dovecot before version 2.3.14.1. An on-path attacker could inject plaintext commands before the STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected. As a result, an attacker can potentially steal user credentials and mails. The attacker needs to have sending permissions on the submission server (a valid username and password).
References
+ https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
Notes
CVE-2021-33515 created at 21 Jun 2021 14:43:15