An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.
References
Link | Resource |
---|---|
https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51 | Patch Vendor Advisory |
https://gitlab.com/mailman/mailman/-/issues/911 | Broken Link |
https://gitlab.com/mailman/mailman/-/tags | Release Notes |
Configurations
History
25 Apr 2023, 18:17
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51 - Patch, Vendor Advisory | |
References | (MISC) https://gitlab.com/mailman/mailman/-/tags - Release Notes | |
References | (MISC) https://gitlab.com/mailman/mailman/-/issues/911 - Broken Link | |
CPE | cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.3 |
CWE | NVD-CWE-noinfo | |
First Time |
Gnu
Gnu mailman |
15 Apr 2023, 20:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-04-15 20:16
Updated : 2023-12-10 15:01
NVD link : CVE-2021-34337
Mitre link : CVE-2021-34337
CVE.ORG link : CVE-2021-34337
JSON object : View
Products Affected
gnu
- mailman
CWE