This advisory only effects installations using the LOGIN authentication method for SMTP (added in Fleet 2.0.2).
Impact
The implementation of LOGIN auth could expose SMTP credentials over an insecure connection if the server did not claim to support STARTTLS. This could allow an attacker to sniff or MITM SMTP traffic and obtain the credentials.
Patches
Effected users should immediately update to Fleet 2.1.2 and rotate the effected SMTP credentials.
Workarounds
If upgrade is not possible, do not use LOGIN auth for SMTP.
This advisory only effects installations using the LOGIN authentication method for SMTP (added in Fleet 2.0.2).
Impact
The implementation of LOGIN auth could expose SMTP credentials over an insecure connection if the server did not claim to support STARTTLS. This could allow an attacker to sniff or MITM SMTP traffic and obtain the credentials.
Patches
Effected users should immediately update to Fleet 2.1.2 and rotate the effected SMTP credentials.
Workarounds
If upgrade is not possible, do not use LOGIN auth for SMTP.