Timing Attack Vulnerability in Mailman Core by GNU
CVE-2021-34337

6.3MEDIUM

Key Information:

Vendor: Gnu
Status: Mailman
Vendor: CVE Published:; 15 April 2023

Summary

A vulnerability exists in Mailman Core prior to version 3.3.5 that allows an attacker with access to the REST API to exploit timing discrepancies in API responses. By observing the time it takes for requests to process, an attacker can infer the configured REST API password. Although the REST API is bound to localhost by default—a measure that limits exposure—users can opt to allow it to listen on other interfaces, which amplifies the potential for exploitation. This makes it crucial for users to update their installations to guard against unauthorized API access.

References

https://gitlab.com/mailman/mailman/-/issues/911

https://gitlab.com/mailman/mailman/-/tags

https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 15, 2023
Vulnerability Reserved
Jun 8, 2021