CVE-2021-46853
published 2022-11-03CVE-2021-46853: Alpine before 2.25 allows remote attackers to cause a denial of service (application crash) when LIST or LSUB is sent before STARTTLS.
PriorityP422medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
0.84%
53.3th percentile
Alpine before 2.25 allows remote attackers to cause a denial of service (application crash) when LIST or LSUB is sent before STARTTLS.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alpine_project | alpine | < 2.25 | 2.25 |
| alpine_project | alpine | >= 0 < 2.25+dfsg1-1 | 2.25+dfsg1-1 |
| alpine_project | alpine | >= 0 < 2.25+dfsg1-1 | 2.25+dfsg1-1 |
| alpine_project | alpine | >= 0 < 2.25+dfsg1-1 | 2.25+dfsg1-1 |
| alpine_project | alpine | >= 0 < 2.20+dfsg1-2ubuntu0.1~esm1 | 2.20+dfsg1-2ubuntu0.1~esm1 |
| alpine_project | alpine | >= 0 < 2.21+dfsg1-1ubuntu0.1~esm1 | 2.21+dfsg1-1ubuntu0.1~esm1 |
| alpine_project | alpine | >= 0 < 2.22+dfsg1-1ubuntu0.1~esm1 | 2.22+dfsg1-1ubuntu0.1~esm1 |
| debian | alpine | < alpine 2.25+dfsg1-1 (bookworm) | alpine 2.25+dfsg1-1 (bookworm) |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Alpine vulnerabilities
vendor_ubuntu·2025-03-20·CVSS 7.5
CVE-2021-46853 [HIGH] Alpine vulnerabilities
Title: Alpine vulnerabilities
Summary: Several security issues were fixed in Alpine.
It was discovered that Alpine did not use a secure connection under
certain circumstances. A remote attacker could possibly use this issue to
leak sensitive information. (CVE-2020-14929)
It was discovered that Alpine could allow untagged responses from an
IMAP server before upgrading to a TLS connection. A remote attacker could
possibly use this issue to leak sensitive information. (CVE-2021-38370)
It was discovered that Alpine could crash when receiving certain SMTP
commands. A remote attacker could possibly use this issue to cause a denial
of service. (CVE-2021-46853)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2021-46853: alpine - Alpine before 2.25 allows remote attackers to cause a denial of service (applica...
vendor_debian·2021·CVSS 5.9
CVE-2021-46853 [MEDIUM] CVE-2021-46853: alpine - Alpine before 2.25 allows remote attackers to cause a denial of service (applica...
Alpine before 2.25 allows remote attackers to cause a denial of service (application crash) when LIST or LSUB is sent before STARTTLS.
Scope: local
bookworm: resolved (fixed in 2.25+dfsg1-1)
bullseye: open
forky: resolved (fixed in 2.25+dfsg1-1)
sid: resolved (fixed in 2.25+dfsg1-1)
trixie: resolved (fixed in 2.25+dfsg1-1)
OSV
alpine vulnerabilities
osv·2025-03-20·CVSS 7.5
CVE-2020-14929 [HIGH] alpine vulnerabilities
alpine vulnerabilities
It was discovered that Alpine did not use a secure connection under
certain circumstances. A remote attacker could possibly use this issue to
leak sensitive information. (CVE-2020-14929)
It was discovered that Alpine could allow untagged responses from an
IMAP server before upgrading to a TLS connection. A remote attacker could
possibly use this issue to leak sensitive information. (CVE-2021-38370)
It was discovered that Alpine could crash when receiving certain SMTP
commands. A remote attacker could possibly use this issue to cause a denial
of service. (CVE-2021-46853)
GHSA
GHSA-v9q2-jxcm-rm4c: Alpine before 2
ghsa_unreviewed·2022-11-03
CVE-2021-46853 [MEDIUM] CWE-367 GHSA-v9q2-jxcm-rm4c: Alpine before 2
Alpine before 2.25 allows remote attackers to cause a denial of service (daemon crash) when LIST or LSUB is sent before STARTTLS.
OSV
CVE-2021-46853: Alpine before 2
osv·2022-11-03·CVSS 5.9
CVE-2021-46853 [MEDIUM] CVE-2021-46853: Alpine before 2
Alpine before 2.25 allows remote attackers to cause a denial of service (application crash) when LIST or LSUB is sent before STARTTLS.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-11-03
Published