Information Disclosure

Jenkins Active Directory Plugin is vulnerable to Information Disclosure. The vulnerability exists when it ignores the "Require TLS" and "StartTls" options and performs connection test without unencrypted which allows an attacker to gain access to sensitive information in the system...

Jenkins Active Directory Plugin vulnerable to Active Directory credential disclosure

Jenkins Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test the button labeled "Test Domain". Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory...

CVE-2023-37943

Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Activ...

ROS-2-2243

2.2243 Vulnerability in Mozilla Thunderbird email client CVE-2021-29970, CVE-2021-30547, CVE-2021-29976, CVE-2021-29969. 1. Vulnerability Description: CVE-2021-29970 Vulnerability in Mozilla Thunderbird email client, related to HTML content processing error. Exploitation of the vulnerability coul...

ROS-2-2136

2.2136 Vulnerability in Mozilla Thunderbird email client CVE-2021-29970, CVE-2021-30547, CVE-2021-29976, CVE-2021-29969. 1. Vulnerability Description: CVE-2021-29970 Vulnerability in Mozilla Thunderbird email client, related to HTML content processing error. Exploitation of the vulnerability coul...

ROS-2-1301

2.1301 Vulnerability in Mozilla Thunderbird email client CVE-2021-29970, CVE-2021-30547, CVE-2021-29976, CVE-2021-29969. 1. Vulnerability Description: CVE-2021-29970 Vulnerability in Mozilla Thunderbird email client, related to HTML content processing error. Exploitation of the vulnerability coul...

CLSA-2023-1688070370 Fix CVE(s): CVE-2021-38371

SECURITY UPDATE: Response injection buffering during MTA SMTP sending - debian/patches/CVE-2021-38371.patch: Enforce STARTTLS sync point, client side in src/transports/smtp.c - CVE-2021-38371...

CLSA-2023-1687795531 Fix CVE(s): CVE-2021-38371

SECURITY UPDATE: Response injection buffering during MTA SMTP sending - debian/patches/CVE-2021-38371.patch: Enforce STARTTLS sync point, client side in src/transports/smtp.c - CVE-2021-38371...

CLSA-2023-1687795205 exim: Fix of CVE-2021-38371

CVE-2021-38371: Enforce STARTTLS sync point, client side in src/transports/smtp.c...

CLSA-2023-1687794906 exim: Fix of CVE-2021-38371

CVE-2021-38371: Enforce STARTTLS sync point, client side in src/transports/smtp.c...

exim: Fix of CVE-2021-38371

CVE-2021-38371: Enforce STARTTLS sync point, client side in src/transports/smtp.c...

CVE-2021-37845

An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595. This potentially allows an attacker...

UBUNTU-CVE-2021-37845

An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595. This potentially allows an attacker...

CVE-2021-37845

An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595. This potentially allows an attacker...

Design/Logic Flaw

An issue was discovered in Citadel through webcit-926. Meddler-in-the-middle attackers can pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure...

Command injection

An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595. This potentially allows an attacker...

PT-2023-12330 · Citadel · Citadel

Name of the Vulnerable Software and Affected Versions: Citadel through webcit-932 Description: An issue was discovered that allows a meddler-in-the-middle attacker to fixate their own session during the cleartext phase before a STARTTLS command, violating the RFC2595 standard. This potentially...

CVE-2021-37845

An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595. This potentially allows an attacker...

CVE-2021-37845

An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595. This potentially allows an attacker...

CVE-2021-37845

CVE-2021-37845 affects Citadel (webcit-932). A MITM attacker can fixate a session in the cleartext phase before STARTTLS, violating RFC2595, potentially causing a victim’s e‑mail messages to be stored in the attacker’s IMAP mailbox, depending on the victim client behavior. The available documents...