CVE-2021-33515

Publication date 21 June 2021

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dovecot	22.04 LTS jammy	Fixed 2.3.13+dfsg1-1ubuntu2
	21.10 impish	Fixed 2.3.13+dfsg1-1ubuntu2
	21.04 hirsute	Fixed 1:2.3.13+dfsg1-1ubuntu1.1
	20.10 groovy	Fixed 1:2.3.11.3+dfsg1-2ubuntu0.2
	20.04 LTS focal	Fixed 1:2.3.7.2-1ubuntu3.4
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

Notes

mdeslaur

per upstream, this affects 2.3.0-2.3.14

Severity score breakdown

Parameter	Value
Base score	4.8 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

Related Ubuntu Security Notices (USN)

USN-4993-1
Dovecot vulnerabilities
21 June 2021