This advisory only effects installations using the LOGIN authentication method for SMTP (added in Fleet 2.0.2).

Impact

The implementation of LOGIN auth could expose SMTP credentials over an insecure connection if the server did not claim to support STARTTLS. This could allow an attacker to sniff or MITM SMTP traffic and obtain the credentials.

Patches

Effected users should immediately update to Fleet 2.1.2 and rotate the effected SMTP credentials.

Workarounds

If upgrade is not possible, do not use LOGIN auth for SMTP.