PT-2021-6019 · Unknown+9 · Gnu Mailman+9

Mark Sapiro

Published

2021-12-01

Updated

2026-03-03

CVE-2021-44227

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions GNU Mailman versions prior to 2.1.38

Description The issue is related to insufficient validation of the source of HTTP requests in GNU Mailman, allowing a remote attacker to force a victim to visit a special web page and perform arbitrary actions on behalf of the victim on the vulnerable website. Specifically, a list member or moderator can obtain a CSRF token and craft an admin request to set a new admin password or make other changes.

Recommendations For GNU Mailman versions prior to 2.1.38, update to version 2.1.38 or later to resolve the issue. As a temporary workaround, consider restricting access to admin requests to minimize the risk of exploitation. Additionally, restrict the ability of list members or moderators to obtain CSRF tokens until the issue is resolved.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

ALSA-2021:4916

ALT-PU-2021-3439

ALT-PU-2021-3511

ALT-PU-2021-3532

ALT-PU-2024-7639

BDU:2022-00592

CESA-2021_4913

CESA-2021_4916

CVE-2021-44227

DLA-3049-1

GHSA-XQ58-69H2-765M

OESA-2021-1456

OESA-2022-1931

RHSA-2021:4913

RHSA-2021:4915

RHSA-2021:4916

RHSA-2021:5080

RHSA-2021:5081

RHSA-2021_4913

RHSA-2021_4916

RLSA-2021:4916

SUSE-SU-2022:1886-1

USN-5180-1

USN-8067-1

Affected Products

Alt Linux

Almalinux

Centos

Gnu Mailman

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2021-6019 · Unknown+9 · Gnu Mailman+9

CVE-2021-44227

Weakness Enumeration

Related Identifiers

Affected Products

References · 47