CVE-2021-43332

6.5MEDIUM

Key Information:

Vendor: Gnu
Status: Mailman
Vendor: CVE Published:; 12 November 2021

Summary

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

References

https://bugs.launchpad.net/mailman/+bug/1949403

x_refsource_MISC

https://mail.python.org/archives/list/mailman-announce%40...

x_refsource_CONFIRM

https://lists.debian.org/debian-lts-announce/2022/06/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 12, 2021
Vulnerability Reserved
Nov 3, 2021