Headline
CVE-2021-43332: Bug #1949403 “A vulnerability could allow a list moderator to di...” : Bugs : GNU Mailman
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.
A vulnerability could allow a list moderator to discover the admin password.
Bug #1949403 reported by Mark Sapiro on 2021-11-01
This bug affects 1 person
Affects
Status
Importance
Assigned to
Milestone
GNU Mailman
Fix Released
Undecided
Mark Sapiro
GNU Mailman 2.1.36
Bug Description
The CSRF token for the admindb page contains an encrypted version of the list admin password which could potentially be cracked by a moderator via an off-line brute force attack.
Related branches
To post a comment you must log in.