Headline

CVE-2021-43332: Bug #1949403 “A vulnerability could allow a list moderator to di...” : Bugs : GNU Mailman

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

3 years ago

CVE

Open in Source

#csrf #vulnerability

A vulnerability could allow a list moderator to discover the admin password.

Bug #1949403 reported by Mark Sapiro on 2021-11-01

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

GNU Mailman

Fix Released

Undecided

Mark Sapiro

GNU Mailman 2.1.36

You need to log in to change this bug’s status.

Affecting:

GNU Mailman

Filed here by:

Mark Sapiro

When:

2021-11-01

Confirmed:

2021-11-01

Assigned:

2021-11-01

Started work:

2021-11-01

Completed:

4 hours ago

Target

Distribution

Package

(Find…)

Project

(Find…)

Status

Importance

Milestone

Undecided

GNU Mailman 2.1.36

Assigned to

Mark Sapiro (msapiro)

Comment on this change (optional)

Email me about changes to this bug report

Bug Description

The CSRF token for the admindb page contains an encrypted version of the list admin password which could potentially be cracked by a moderator via an off-line brute force attack.

Related branches

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

10 months ago

10 months ago

10 months ago

10 months ago

10 months ago