Alpine
CVE-2021-38370
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS.
AnalysisAI
In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS. Affected products include: Alpine Project Alpine. Version information: before 2.25.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.
Alpine is a scaffolding library in Java. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involvi
Alpine is a scaffolding library in Java. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, n
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today