Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-44227

Опубликовано: 26 нояб. 2021
Источник: redhat
CVSS3: 8
EPSS Низкий

Описание

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.

A Cross-Site Request Forgery (CSRF) attack can be performed in mailman due to a CSRF token bypass. CSRF tokens are not checked against the right type of user when performing admin operations and a token created by a regular user can be used by an admin to perform an admin-level request, effectively bypassing the protection provided by CSRF tokens. A remote attacker with an account on the mailman system can use this flaw to perform a CSRF attack and perform operations on behalf of the victim admin.

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6mailmanOut of support scope
Red Hat Enterprise Linux 7mailmanFixedRHSA-2021:491302.12.2021
Red Hat Enterprise Linux 8mailmanFixedRHSA-2021:491602.12.2021
Red Hat Enterprise Linux 8.1 Update Services for SAP SolutionsmailmanFixedRHSA-2021:508113.12.2021
Red Hat Enterprise Linux 8.2 Extended Update SupportmailmanFixedRHSA-2021:508013.12.2021
Red Hat Enterprise Linux 8.4 Extended Update SupportmailmanFixedRHSA-2021:491502.12.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-352
https://bugzilla.redhat.com/show_bug.cgi?id=2026862mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover

EPSS

Процентиль: 56%
0.00339
Низкий

8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-44227

CVSS3: 8.8
ubuntu
больше 3 лет назад

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.

nvd логотип

CVE-2021-44227

CVSS3: 8.8
nvd
больше 3 лет назад

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.

debian логотип

CVE-2021-44227

CVSS3: 8.8
debian
больше 3 лет назад

In GNU Mailman before 2.1.38, a list member or moderator can get a CSR ...

rocky логотип

RLSA-2021:4916

rocky
больше 3 лет назад

Important: mailman:2.1 security update

github логотип

GHSA-xq58-69h2-765m

CVSS3: 8.8
github
больше 3 лет назад

Cross Site Request Forgery in mailman

EPSS

Процентиль: 56%
0.00339
Низкий

8 High

CVSS3