The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Inn | Isc | 1.5.1 | 1.5.1 |
| Inn | Isc | 2.2 | 2.2 |
| Inn | Isc | 2.2.2 | 2.2.2 |
| Inn | Isc | 1.4unoff4 | 1.4unoff4 |
| Inn | Isc | 1.4sec | 1.4sec |
| Inn | Isc | 1.7.2 | 1.7.2 |
| Inn | Isc | 2.0 | 2.0 |
| Inn | Isc | 2.4.0 | 2.4.0 |
| Inn | Isc | 1.7 | 1.7 |
| Inn | Isc | 1.4unoff3 | 1.4unoff3 |
| Inn | Isc | 2.1 | 2.1 |
| Inn | Isc | 1.4 | 1.4 |
| Inn | Isc | 2.2.1 | 2.2.1 |
| Inn | Isc | 1.4sec2 | 1.4sec2 |
| Inn | Isc | 2.2.3 | 2.2.3 |
| Inn | Isc | * | 2.5.2 |
| Inn | Isc | 1.5 | 1.5 |