CVE-2021-42096

Опубликовано: 21 окт. 2021

Источник: redhat

CVSS3: 4.3

EPSS Низкий

Описание

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

Sensitive information is exposed to unprivileged users in mailman. The hash of the list admin password is used to derive the CSRF (Cross-site Request Forgery) token, which is exposed to unprivileged members of a list. Malicious members may use the CSRF token to perform an offline brute-force attack to retrieve the list admin password.

Отчет

This issue did not affect the versions of mailman as shipped with Red Hat Enterprise Linux 6, and 7 as they did not use CSRF tokens in members pages.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	mailman	Not affected
Red Hat Enterprise Linux 7	mailman	Not affected
Red Hat Enterprise Linux 8	mailman	Fixed	RHSA-2021:4826	23.11.2021
Red Hat Enterprise Linux 8.1 Extended Update Support	mailman	Fixed	RHSA-2021:4838	24.11.2021
Red Hat Enterprise Linux 8.2 Extended Update Support	mailman	Fixed	RHSA-2021:4837	24.11.2021
Red Hat Enterprise Linux 8.4 Extended Update Support	mailman	Fixed	RHSA-2021:4839	24.11.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-200

https://bugzilla.redhat.com/show_bug.cgi?id=2020575mailman: CSRF token derived from admin password allows offline brute-force attack

EPSS

Процентиль: 60%

0.00404

Низкий

4.3 Medium

CVSS3

Связанные уязвимости

CVE-2021-42096

CVSS3: 4.3

ubuntu

больше 3 лет назад

CVE-2021-42096

CVSS3: 4.3

nvd

больше 3 лет назад

CVE-2021-42096

CVSS3: 4.3

debian

больше 3 лет назад

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A cer ...

GHSA-c875-cgwj-4fjw

github

около 3 лет назад

openSUSE-SU-2021:1436-1

suse-cvrf

больше 3 лет назад

Security update for mailman

EPSS

Процентиль: 60%

0.00404

Низкий

4.3 Medium

CVSS3