Bug 1973610 (CVE-2021-33515)
| Summary: | CVE-2021-33515 dovecot: plaintext commands injection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | anon.amish, bennie.joubert, cbuissar, janfrode, mhlavink, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | dovecot 2.3.14.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-11 06:46:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1974393, 1979832, 1980013, 1980014 | ||
| Bug Blocks: | 1973612 | ||
|
Description
Marian Rehak
2021-06-18 10:21:22 UTC
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1974393] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1950 https://access.redhat.com/errata/RHSA-2022:1950 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33515 |