1. Home
  2. Vulnerabilities
  3. CVE-2014-3556

CVE-2014-3556

CVSS v2.0 6.8 (Medium)
68% Progress
EPSS 0.16 % (54th)
0.16% Progress
Affected Products 1
Advisories 2
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

Weaknesses
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Related CVEs
CVE Status
PUBLISHED
CNA
Red Hat, Inc.
Published Date
2014-12-29 20:59:03
(9 years ago)
Updated Date
2021-11-10 15:59:33
(2 years ago)

Affected Products

F5

Configuration #1

    CPE23 From Up To
  F5 Nginx from 1.5.6 version and prior 1.6.1 version cpe:2.3:a:f5:nginx >= 1.5.6 < 1.6.1
  F5 Nginx from 1.7.0 version and prior 1.7.4 version cpe:2.3:a:f5:nginx >= 1.7.0 < 1.7.4