CVE-2021-33515
Description
Dovecot submission service before 2.3.15 allows STARTTLS command injection, enabling sensitive data redirection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dovecot submission service before 2.3.15 allows STARTTLS command injection, enabling sensitive data redirection.
Vulnerability
The submission service in Dovecot versions before 2.3.15 contains a STARTTLS command injection vulnerability in the lib-smtp library. When a client pipelines additional commands in plaintext after sending the STARTTLS command, those commands are executed inside the TLS session, bypassing the intended security boundary. This affects Dovecot 2.3.x installations using the submission service [1].
Exploitation
An attacker with network access to the SMTP submission port can exploit this by sending a STARTTLS command followed by pipelined SMTP commands in plaintext. The server incorrectly processes these plaintext commands as if they were within the TLS session, allowing the attacker to inject arbitrary submission commands. No authentication is required beyond the ability to initiate an SMTP connection [1].
Impact
Successful exploitation allows an attacker to intercept or redirect sensitive information, such as email content or credentials, to an attacker-controlled address. The confidentiality and integrity of data transmitted via the submission service are compromised, though the CVSS score of 4.2 indicates low overall severity [1].
Mitigation
The vulnerability is fixed in Dovecot version 2.3.15, released on June 21, 2021 [1]. Users should upgrade to this version or later. No known workarounds exist; disabling the submission service or restricting network access may reduce exposure but is not a full mitigation [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
26- Dovecot/Dovecotdescription
- Range: <2.3.15
- osv-coords24 versionspkg:rpm/almalinux/dovecotpkg:rpm/almalinux/dovecot-develpkg:rpm/almalinux/dovecot-mysqlpkg:rpm/almalinux/dovecot-pgsqlpkg:rpm/almalinux/dovecot-pigeonholepkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Server%204.0
< 1:2.3.16-2.el8+ 23 more
- (no CPE)range: < 1:2.3.16-2.el8
- (no CPE)range: < 1:2.3.16-2.el8
- (no CPE)range: < 1:2.3.16-2.el8
- (no CPE)range: < 1:2.3.16-2.el8
- (no CPE)range: < 1:2.3.16-2.el8
- (no CPE)range: < 2.3.11.3-lp152.2.9.1
- (no CPE)range: < 2.3.11.3-55.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-4.35.1
- (no CPE)range: < 2.3.11.3-4.35.1
- (no CPE)range: < 2.3.11.3-55.1
- (no CPE)range: < 2.3.11.3-55.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-4.35.1
- (no CPE)range: < 2.3.11.3-4.35.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation in lib-smtp allows plaintext commands pipelined after STARTTLS to be executed inside the TLS session."
Attack vector
A man-in-the-middle (MiTM) attacker can inject plaintext SMTP commands pipelined immediately after the STARTTLS command [ref_id=1]. Because the server processes those pipelined commands inside the TLS session, the attacker's injected preamble commands execute before the legitimate user's commands [ref_id=1]. This allows the attacker to redirect the user's mail and other commands to an attacker-controlled address [ref_id=1]. The attack requires network position to intercept and modify the SMTP session, and the attacker must have low privileges (CVSS 4.2) [ref_id=1].
Affected code
The vulnerability resides in Dovecot's lib-smtp component, specifically in the submission service's handling of the STARTTLS command [ref_id=1]. The advisory does not specify exact function or file names beyond "lib-smtp" and "submission" [ref_id=1].
What the fix does
The advisory states the fix is included in Dovecot 2.3.15 [ref_id=1]. No patch diff is provided in the bundle, but the recommended remediation is to upgrade to the fixed version or disable STARTTLS support [ref_id=1]. The fix likely ensures that any commands pipelined after STARTTLS are rejected or queued until the TLS handshake completes, preventing injection of plaintext commands into the TLS session [ref_id=1].
Preconditions
- networkAttacker must be in a man-in-the-middle position on the network path between the client and the Dovecot submission service
- authAttacker must have low-level privileges (CVSS PR:L)
- configThe Dovecot submission service must have STARTTLS enabled
- inputAttacker injects pipelined plaintext SMTP commands immediately after the STARTTLS command
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202107-41mitrevendor-advisoryx_refsource_GENTOO
- dovecot.org/securitymitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2022/09/msg00032.htmlmitremailing-listx_refsource_MLIST
- www.openwall.com/lists/oss-security/2021/06/28/2mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.