CVE-2021-38370 — Command Injection in Project Alpine

Severity

5.9MEDIUMNVD

OSV7.5

EPSS

0.4%

top 40.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedAug 10

Latest updateMar 20

Description

In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

▶debiandebian/alpine< alpine 2.25+dfsg1-1 (bookworm)

▶Debianalpine_project/alpine< 2.25+dfsg1-1+2

▶Ubuntualpine_project/alpine< 2.20+dfsg1-2ubuntu0.1~esm1+2

OSV

alpine vulnerabilities↗2025-03-20

▶

GHSA

GHSA-2c2h-qvww-cw95: In Alpine through 2↗2022-05-24

▶

OSV

CVE-2021-38370: In Alpine before 2↗2021-08-10

▶

Ubuntu

Alpine vulnerabilities↗2025-03-20

▶

Debian

CVE-2021-38370: alpine - In Alpine before 2.25, untagged responses from an IMAP server are accepted befor...↗2021

▶