[Dovecot-news] CVE-2021-33515: SMTP Submission service STARTTLS injection

Timo Sirainen timo at sirainen.com
Mon Jun 21 14:51:30 EEST 2021

Open-Xchange Security Advisory 2021-06-21

Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-4583 (Bug ID)
Vulnerability type: CWE-74: Failure to Sanitize Data into a Different Plane ('Injection')
Vulnerable version: 2.3.0-2.3.14
Vulnerable component: submission
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version:
Vendor notification: 2021-05-21
Solution date: 2021-05-22
Public disclosure: 2021-06-21
CVE reference: CVE-2021-33515
CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
Researcher credit: Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences

Vulnerability Details:

On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.


Attacker can potentially steal user credentials and mails. The attacker needs to have sending permissions on the submission server (a valid username and password).




Operators should update to or later version.

More information about the Dovecot-news mailing list