The STARTTLS feature in Exim through 4.94.2 allows response injection (buffering) during MTA SMTP sending.
The CVE references this, but it 404s for me: https://www.exim.org/static/doc/security/CVE-2021-38371.txt
@hanno: do you know if there's any news on this?
No, except that we recently got a request to re-check this and could confirm that it was still present in exim 4.95.
I have to say during our research this wasn't a main focus of us. We mostly looked into mail client to server communication and kinda looked on the server to server part only briefly as we already had the tools ready. We reported issues, but didn't really follow up (also generally people have less expectation of s2s connections to be secure).