In Alpine through 2.24, untagged responses from an IMAP server are accepted before STARTTLS.
There's also an issue described on the NO STARTTLS website that says "Crash
when LIST or LSUB send before STARTTLS". Both the status of this issue and the
CVE are "Unknown (reported via email).
The vulnerability described in this bug was also in the NO STARTTLS report.