First published: Fri Nov 12 2021(Updated: )
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
GNU Mailman | <2.1.36 | |
Debian Debian Linux | =9.0 | |
<2.1.36 | ||
=9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2021-43332.
The severity of CVE-2021-43332 is medium with a CVSS score of 6.5.
GNU Mailman versions before 2.1.36 and Debian Debian Linux version 9.0 are affected by CVE-2021-43332.
CVE-2021-43332 is a vulnerability in GNU Mailman before 2.1.36 where the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password, which could be cracked by a moderator via an offline brute-force attack.
CVE-2021-43332 can be exploited by a moderator launching an offline brute-force attack to crack the encrypted version of the list admin password contained in the CSRF token for the Cgi/admindb.py admindb page.