PT-2023-12254 · Unknown+2 · Mailman Core+2

Legoktm

Published

2022-10-21

Updated

2024-06-15

CVE-2021-34337

CVSS v4.0

7.6

High

Vector

AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Mailman Core versions prior to 3.3.5

Description An issue was discovered that allows an attacker with access to the REST API to use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.

Recommendations For Mailman Core versions prior to 3.3.5, update to version 3.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-208

Related Identifiers

ALT-PU-2023-5747

CVE-2021-34337

GHSA-2JG5-XGVV-4WQ7

OESA-2022-2005

OPENSUSE-SU-2024:11644-1

OPENSUSE-SU-2024:11760-1

PYSEC-2023-22

Affected Products

Alt Linux

Debian

Mailman Core

PT-2023-12254 · Unknown+2 · Mailman Core+2

CVE-2021-34337

Weakness Enumeration

Related Identifiers

Affected Products

References · 21