CVE-2021-34337 — Observable Timing Discrepancy in Mailman

CWE-208 — Observable Timing Discrepancy CWE-287 — Improper Authentication7 documents6 sources

Severity

6.3MEDIUMNVD

EPSS

0.4%

top 38.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Mailman

Timeline

PublishedApr 15

Description

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.0 | Impact: 5.2

Affected Packages2 packages

▶NVDgnu/mailman< 3.3.5

▶PyPIgnu/mailman< 3.3.5

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

CVEList

CVE-2021-34337: An issue was discovered in Mailman Core before 3↗2023-04-15

▶

GHSA

Mailman Core vulnerable to timing attacks↗2023-04-15

▶

OSV

Mailman Core vulnerable to timing attacks↗2023-04-15

▶

OSV

CVE-2021-34337: An issue was discovered in Mailman Core before 3↗2023-04-15

▶

📋Vendor Advisories

Red Hat

mailman: password checking timing attack in administrative REST API↗2021-12-04

▶

Debian

CVE-2021-34337: mailman3 - An issue was discovered in Mailman Core before 3.3.5. An attacker with access to...↗2021

▶