CVE-2014-3556

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
VendorProductVersion
f5nginx
1.5.6 ≤
𝑥
< 1.6.1
f5nginx
1.7.0 ≤
𝑥
< 1.7.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nginx
bullseye (security)
1.18.0-6.1+deb11u3
fixed
bullseye
1.18.0-6.1+deb11u3
fixed
wheezy
not-affected
squeeze
not-affected
bookworm
1.22.1-9
fixed
sid
1.26.0-3
fixed
trixie
1.26.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nginx
trusty
not-affected
precise
not-affected
lucid
ignored
Common Weakness Enumeration
References
http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html
http://marc.info/?l=bugtraq&m=142103967620673&w=2
http://nginx.org/download/patch.2014.starttls.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1126891
http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html
http://marc.info/?l=bugtraq&m=142103967620673&w=2
http://nginx.org/download/patch.2014.starttls.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1126891