{"id":"UBUNTU-CVE-2021-38084","details":"An issue was discovered in the POP3 component of Courier Mail Server before 1.1.5. Meddler-in-the-middle attackers can pipeline commands after the POP3 STLS command, injecting plaintext commands into an encrypted user session.","modified":"2026-04-27T17:01:38.452154Z","published":"2021-08-03T22:15:00Z","upstream":["CVE-2021-38084"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-38084"},{"type":"REPORT","url":"https://sourceforge.net/p/courier/mailman/courier-imap/thread/cone.1382574216.483027.8082.1000%40monster.email-scan.com/#msg31555583"},{"type":"REPORT","url":"https://sourceforge.net/p/courier/mailman/message/37329216/"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2021-38084"}],"affected":[{"package":{"name":"courier","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/courier@0.68.2-1ubuntu7?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.68.2-1ubuntu5","0.68.2-1ubuntu6","0.68.2-1ubuntu7"],"ecosystem_specific":{"binaries":[{"binary_name":"courier-base","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-faxmail","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-imap","binary_version":"4.10.0-20120615-1ubuntu7"},{"binary_name":"courier-imap-ssl","binary_version":"4.10.0-20120615-1ubuntu7"},{"binary_name":"courier-ldap","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-maildrop","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-mlm","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-mta","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-mta-ssl","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-pcp","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-pop","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-pop-ssl","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-ssl","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"courier-webadmin","binary_version":"0.68.2-1ubuntu7"},{"binary_name":"sqwebmail","binary_version":"0.68.2-1ubuntu7"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-38084.json"}},{"package":{"name":"courier","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/courier@0.78.0-2ubuntu2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.78.0-2","0.78.0-2ubuntu1","0.78.0-2ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_name":"courier-base","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-faxmail","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-imap","binary_version":"4.18.1+0.78.0-2ubuntu2"},{"binary_name":"courier-imap-ssl","binary_version":"4.18.1+0.78.0-2ubuntu2"},{"binary_name":"courier-ldap","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-maildrop","binary_version":"2.9.1+0.78.0-2ubuntu2"},{"binary_name":"courier-mlm","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-mta","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-mta-ssl","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-pcp","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-pop","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-pop-ssl","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-ssl","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"courier-webadmin","binary_version":"0.78.0-2ubuntu2"},{"binary_name":"sqwebmail","binary_version":"5.9.0+0.78.0-2ubuntu2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-38084.json"}},{"package":{"name":"courier","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/courier@1.0.6-1build2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0.6-1build1","1.0.6-1build2"],"ecosystem_specific":{"binaries":[{"binary_name":"courier-base","binary_version":"1.0.6-1build2"},{"binary_name":"courier-faxmail","binary_version":"1.0.6-1build2"},{"binary_name":"courier-imap","binary_version":"5.0.6+1.0.6-1build2"},{"binary_name":"courier-ldap","binary_version":"1.0.6-1build2"},{"binary_name":"courier-mlm","binary_version":"1.0.6-1build2"},{"binary_name":"courier-mta","binary_version":"1.0.6-1build2"},{"binary_name":"courier-pcp","binary_version":"1.0.6-1build2"},{"binary_name":"courier-pop","binary_version":"1.0.6-1build2"},{"binary_name":"courier-webadmin","binary_version":"1.0.6-1build2"},{"binary_name":"sqwebmail","binary_version":"6.0.0+1.0.6-1build2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-38084.json"}},{"package":{"name":"courier","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/courier@1.0.16-3build3?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0.16-3build1","1.0.16-3build2","1.0.16-3build3"],"ecosystem_specific":{"binaries":[{"binary_name":"courier-base","binary_version":"1.0.16-3build3"},{"binary_name":"courier-faxmail","binary_version":"1.0.16-3build3"},{"binary_name":"courier-imap","binary_version":"5.0.13+1.0.16-3build3"},{"binary_name":"courier-ldap","binary_version":"1.0.16-3build3"},{"binary_name":"courier-mlm","binary_version":"1.0.16-3build3"},{"binary_name":"courier-mta","binary_version":"1.0.16-3build3"},{"binary_name":"courier-pcp","binary_version":"1.0.16-3build3"},{"binary_name":"courier-pop","binary_version":"1.0.16-3build3"},{"binary_name":"courier-webadmin","binary_version":"1.0.16-3build3"},{"binary_name":"sqwebmail","binary_version":"6.0.5+1.0.16-3build3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-38084.json"}},{"package":{"name":"courier","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/courier@1.4.1-3?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.13-11","1.4.1-1","1.4.1-2","1.4.1-2build1","1.4.1-3"],"ecosystem_specific":{"binaries":[{"binary_name":"courier-base","binary_version":"1.4.1-3"},{"binary_name":"courier-faxmail","binary_version":"1.4.1-3"},{"binary_name":"courier-imap","binary_version":"5.2.11+1.4.1-3"},{"binary_name":"courier-ldap","binary_version":"1.4.1-3"},{"binary_name":"courier-mlm","binary_version":"1.4.1-3"},{"binary_name":"courier-mta","binary_version":"1.4.1-3"},{"binary_name":"courier-pcp","binary_version":"1.4.1-3"},{"binary_name":"courier-pop","binary_version":"1.4.1-3"},{"binary_name":"courier-webadmin","binary_version":"1.4.1-3"},{"binary_name":"sqwebmail","binary_version":"6.2.9+1.4.1-3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-38084.json"}},{"package":{"name":"courier","ecosystem":"Ubuntu:26.04","purl":"pkg:deb/ubuntu/courier@1.5.1-2?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4.1-3","1.4.1-10","1.5.1-2"],"ecosystem_specific":{"binaries":[{"binary_name":"courier-base","binary_version":"1.5.1-2"},{"binary_name":"courier-faxmail","binary_version":"1.5.1-2"},{"binary_name":"courier-imap","binary_version":"5.3.1+1.5.1-2"},{"binary_name":"courier-ldap","binary_version":"1.5.1-2"},{"binary_name":"courier-mlm","binary_version":"1.5.1-2"},{"binary_name":"courier-mta","binary_version":"1.5.1-2"},{"binary_name":"courier-pcp","binary_version":"1.5.1-2"},{"binary_name":"courier-pop","binary_version":"1.5.1-2"},{"binary_name":"courier-webadmin","binary_version":"1.5.1-2"},{"binary_name":"sqwebmail","binary_version":"6.3.1+1.5.1-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-38084.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}