First published: Thu Oct 21 2021(Updated: )
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
GNU Mailman | <2.1.35 | |
Debian Debian Linux | =10.0 | |
debian/mailman | ||
<2.1.35 | ||
=10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this security issue is CVE-2021-42097.
CVE-2021-42097 has a severity level of high.
The affected software for CVE-2021-42097 is GNU Mailman versions before 2.1.35.
An attacker can exploit CVE-2021-42097 by obtaining a csrf_token value within the context of an unprivileged user account and using it in a CSRF attack against an admin.
Yes, there are known remedies for CVE-2021-42097. For Debian, it is recommended to upgrade to version 1:2.1.29-1+deb10u5 or 1:2.1.29-1+deb10u2. For Ubuntu, upgrading to version 2.1.35 or 1:2.1.29-1ubuntu3.1 is recommended.