PT-2023-12254 · Unknown+2 · Mailman Core+2

Legoktm

Publicado

2022-10-21

Atualizado

2024-06-15

CVE-2021-34337

CVSS v4.0

7.6

Alta

Vetor

AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Mailman Core versions prior to 3.3.5

Description An issue was discovered that allows an attacker with access to the REST API to use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.

Recommendations For Mailman Core versions prior to 3.3.5, update to version 3.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-208

Identificadores relacionados

ALT-PU-2023-5747

CVE-2021-34337

GHSA-2JG5-XGVV-4WQ7

OESA-2022-2005

OPENSUSE-SU-2024:11644-1

OPENSUSE-SU-2024:11760-1

PYSEC-2023-22

Produtos afetados

Alt Linux

Debian

Mailman Core

PT-2023-12254 · Unknown+2 · Mailman Core+2

CVE-2021-34337

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 21