CVE-2021-38373

CWE-77Command InjectionCWE-319Cleartext TransmissionCWE-200Information Exposure6 documents6 sources
Severity
5.3MEDIUM
EPSS
0.2%
top 63.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
KDE Kmail
Timeline
PublishedAug 10
Latest updateMay 24

Description

In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

Debianksmtp< 21.12.3-2+2
NVDkde/kmail19.12.3

🔴Vulnerability Details

3
GHSA
GHSA-rc8g-gfxp-864v: In KDE KMail 192022-05-24
CVEList
CVE-2021-38373: In KDE KMail 192021-08-10
OSV
CVE-2021-38373: In KDE KMail 192021-08-10

📋Vendor Advisories

2
Red Hat
kmail: STARTTLS is ignored when "Server requires authentication" not checked in UI2021-08-09
Debian
CVE-2021-38373: ksmtp - In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and ...2021
CVE-2021-38373 (MEDIUM CVSS 5.3) | In KDE KMail 19.12.3 (aka 5.13.3) | cvebase.io