CVE-2011-1431

The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the netqmail-1.06-tls patch for netqmail 1.06 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
frederik_vermeulennetqmail
1.06
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qmail
zesty
dne
yakkety
dne
xenial
dne
wily
dne
vivid
dne
utopic
dne
trusty
dne
saucy
dne
raring
dne
quantal
ignored
precise
ignored
oneiric
ignored
natty
ignored
maverick
ignored
lucid
ignored
karmic
ignored
hardy
ignored
dapper
ignored
References
http://inoa.net/qmail-tls/vu555316.patch
http://securityreason.com/securityalert/8144
http://www.kb.cert.org/vuls/id/555316
http://www.kb.cert.org/vuls/id/MAPG-8D9M5Q
http://www.postfix.org/CVE-2011-0411.html
http://www.securityfocus.com/archive/1/516901
http://www.securityfocus.com/bid/46767
http://www.vupen.com/english/advisories/2011/0612
https://exchange.xforce.ibmcloud.com/vulnerabilities/65932
http://inoa.net/qmail-tls/vu555316.patch
http://securityreason.com/securityalert/8144
http://www.kb.cert.org/vuls/id/555316
http://www.kb.cert.org/vuls/id/MAPG-8D9M5Q
http://www.postfix.org/CVE-2011-0411.html
http://www.securityfocus.com/archive/1/516901
http://www.securityfocus.com/bid/46767
http://www.vupen.com/english/advisories/2011/0612
https://exchange.xforce.ibmcloud.com/vulnerabilities/65932