CVE-2021-25322

Name of the Vulnerable Software and Affected Versions python-HyperKitty versions prior to 1.3.4-5.1 openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions

Description The issue is related to a UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty, which allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This vulnerability is associated with the implementation of the hyperkitty-permissions.sh script in the HyperKitty web interface for accessing Mailman archives.

Recommendations For openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions, update to a version later than 1.3.2-lp152.2.3.1. For openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1, update to a version later than 1.3.4-5.1. As a temporary workaround, consider restricting access to the hyperkitty-permissions.sh script until a patch is available.