Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2021-42097

Опубликовано: 21 окт. 2021
Источник: debian

Описание

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

Пакеты

ПакетСтатусВерсия исправленияРелизТип
mailmanremovedpackage

Примечания

  • Fixed by: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873

  • https://bugs.launchpad.net/mailman/+bug/1947640

  • https://mail.python.org/archives/list/mailman-announce@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/

  • https://www.openwall.com/lists/oss-security/2021/10/21/4

  • Regression: https://bugs.launchpad.net/mailman/+bug/1954694

  • Regression fixed by: https://launchpadlibrarian.net/573872803/patch.txt

Связанные уязвимости

ubuntu логотип

CVE-2021-42097

CVSS3: 8
ubuntu
больше 3 лет назад

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

redhat логотип

CVE-2021-42097

CVSS3: 8
redhat
больше 3 лет назад

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

nvd логотип

CVE-2021-42097

CVSS3: 8
nvd
больше 3 лет назад

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

github логотип

GHSA-vj65-f4hc-r425

github
около 3 лет назад

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

suse-cvrf логотип

openSUSE-SU-2021:1436-1

suse-cvrf
больше 3 лет назад

Security update for mailman