Lucene search

Veracode Vulnerability DatabaseVERACODE:24439

HistoryApr 10, 2020 - 12:54 a.m.

Command Injection

2020-04-1000:54:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

postfix is vulnerable to command injection. It was discovered that Postfix did not flush the received SMTP commands buffer after switching to TLS encryption for an SMTP session. A man-in-the-middle attacker could use this flaw to inject SMTP commands into a victim’s session during the plain text phase. This would lead to those commands being processed by Postfix after TLS encryption is enabled, possibly allowing the attacker to steal the victim’s mail or authentication credentials.

CPENameOperatorVersion
postfixeq2.2.10__1.2.1.el4_7
postfixeq2.2.10__1.1.el4
postfixeq2.3.3__2.1.el5_2
postfixeq2.6.6__2.el6
postfixeq2.2.10__1.2.el4

Name	Operator	Version
postfix	eq	2.2.10__1.2.1.el4_7
postfix	eq	2.2.10__1.1.el4
postfix	eq	2.3.3__2.1.el5_2
postfix	eq	2.6.6__2.el6
postfix	eq	2.2.10__1.2.el4

References

kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html

lists.fedoraproject.org/pipermail/package-announce/2011-March/056559.html

lists.fedoraproject.org/pipermail/package-announce/2011-March/056560.html

lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html

secunia.com/advisories/43646

secunia.com/advisories/43874

security.gentoo.org/glsa/glsa-201206-33.xml

securitytracker.com/id?1025179

support.apple.com/kb/HT5002

www.debian.org/security/2011/dsa-2233

www.kb.cert.org/vuls/id/555316

www.kb.cert.org/vuls/id/MORO-8ELH6Z

www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

www.osvdb.org/71021

www.postfix.org/CVE-2011-0411.html

www.redhat.com/support/errata/RHSA-2011-0422.html

www.redhat.com/support/errata/RHSA-2011-0423.html

www.securityfocus.com/bid/46767

www.vupen.com/english/advisories/2011/0611

www.vupen.com/english/advisories/2011/0752

www.vupen.com/english/advisories/2011/0891

access.redhat.com/errata/RHSA-2011:0423

access.redhat.com/security/updates/classification/#moderate

exchange.xforce.ibmcloud.com/vulnerabilities/65932

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Related for VERACODE:24439