CVE-2021-43332

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions GNU Mailman versions prior to 2.1.36

Description The issue is related to insufficient restriction of authentication attempts in GNU Mailman, allowing a remote attacker to bypass authentication by guessing the administrator's password using a brute-force method. Specifically, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password, which could potentially be cracked by a moderator via an offline brute-force attack.

Recommendations For GNU Mailman versions prior to 2.1.36, update to version 2.1.36 or later to resolve the issue. As a temporary workaround, consider restricting access to the Cgi/admindb.py admindb page to minimize the risk of exploitation. Additionally, restrict the use of the encrypted admin password in the CSRF token until the issue is resolved.

Fix

Insufficiently Protected Credentials

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-307

Related Identifiers

ALT-PU-2021-3272

ALT-PU-2021-3273

ALT-PU-2021-3277

ALT-PU-2021-3299

BDU:2021-06195

CVE-2021-43332

DLA-3049-1

OESA-2021-1444

OESA-2022-1931

SUSE-SU-2022:1886-1

USN-5151-1

USN-5151-2

Affected Products

Alt Linux

Gnu Mailman

Linuxmint

Suse

Ubuntu

CVE-2021-43332

Weakness Enumeration

Related Identifiers

Affected Products

References · 38