PT-2021-4287 · Unknown+3 · Hyperkitty+3

Amir Sarabadani

Published

2021-05-26

Updated

2022-06-05

CVE-2021-33038

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions HyperKitty versions prior to 1.3.5

Description The issue is related to an error when importing archives of private mailing lists, which become publicly accessible during the import process. This could allow a remote attacker to access confidential data. For example, sensitive information might be available on the web for an hour during a large migration from Mailman 2 to Mailman 3.

Recommendations For HyperKitty versions prior to 1.3.5, update to version 1.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the management/commands/hyperkitty import.py module until a patch is available. Avoid using the hyperkitty import command with private mailing list archives until the issue is resolved.

Exploit

Fix

Information Disclosure

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-276

Related Identifiers

BDU:2021-04895

CVE-2021-33038

DSA-4922-1

GHSA-H39G-Q63V-4H9P

OPENSUSE-SU-2021:0861-1

OPENSUSE-SU-2021_0861-1

OPENSUSE-SU-2024:11207-1

PYSEC-2021-77

Affected Products

Hyperkitty

Mailman 2

Mailman 3

Suse

PT-2021-4287 · Unknown+3 · Hyperkitty+3

CVE-2021-33038

Weakness Enumeration

Related Identifiers

Affected Products

References · 26