CVE-2014-3556
Description
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411.
Risk Information
Base Score
7.4
MODERATE
Vector
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
48.169
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Update Nginx to 9.1.19 | Windows |
| Update Nginx to 9.1.5 | Windows |
| Update Nginx to 9.1.8 | Windows |
| Update Nginx to 9.2.14 | Windows |
| Update Nginx to 9.2.19 | Windows |
| Update Nginx to 9.2.3 | Windows |
| Update Nginx to 9.2.7 | Windows |
| Update Nginx to 9.3.10 | Windows |
| Update Nginx to 9.3.15 | Windows |
| Update Nginx to 9.3.17 | Windows |
| Update Nginx to 9.1.19 (For Linux) | Linux |
| Update Nginx to 9.1.5 (For Linux) | Linux |
| Update Nginx to 9.1.8 (For Linux) | Linux |
| Update Nginx to 9.2.14 (For Linux) | Linux |
| Update Nginx to 9.2.19 (For Linux) | Linux |
| Update Nginx to 9.2.3 (For Linux) | Linux |
| Update Nginx to 9.2.7 (For Linux) | Linux |
| Update Nginx to 9.3.10 (For Linux) | Linux |
| Update Nginx to 9.3.15 (For Linux) | Linux |
| Update Nginx to 9.3.17 (For Linux) | Linux |
| Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability (CVE-2014-3556) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234