CVE-2021-34337 – mailman

Package

Manager: pip
Name: mailman
Vulnerable Version: >=0 <3.3.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00511 pctl0.65429

Details

Mailman Core vulnerable to timing attacks An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.

Metadata

Created: 2023-04-15T21:30:16Z
Modified: 2024-09-30T16:52:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-2jg5-xgvv-4wq7/GHSA-2jg5-xgvv-4wq7.json
CWE IDs: ["CWE-208"]
Alternative ID: GHSA-2jg5-xgvv-4wq7
Finding: F063
Auto approve: 1