Headline
CVE-2021-43332: Bug #1949403 “A vulnerability could allow a list moderator to di...” : Bugs : GNU Mailman
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.
A vulnerability could allow a list moderator to discover the admin password.
Bug #1949403 reported by Mark Sapiro on 2021-11-01
This bug affects 1 person
Affects
Status
Importance
Assigned to
Milestone
GNU Mailman
Fix Released
Undecided
Mark Sapiro
GNU Mailman 2.1.36
You need to log in to change this bug’s status.
Affecting:
GNU Mailman
Filed here by:
Mark Sapiro
When:
2021-11-01
Confirmed:
2021-11-01
Assigned:
2021-11-01
Started work:
2021-11-01
Completed:
4 hours ago
Target
Distribution
Package
(Find…)
Project
(Find…)
Status
Importance
Milestone
Undecided
GNU Mailman 2.1.36
Assigned to
Me
Mark Sapiro (msapiro)
Comment on this change (optional)
Email me about changes to this bug report
Bug Description
The CSRF token for the admindb page contains an encrypted version of the list admin password which could potentially be cracked by a moderator via an off-line brute force attack.
Related branches