CVE-2021-33038 : An issue was discovered in management/commands/hyperkitty

An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during a large migration from Mailman 2 to Mailman 3.

Published 2021-05-26 14:15:09

Updated 2022-06-28 14:11:45

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2021-33038

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Hyperkitty Project » Hyperkitty
Versions up to, including, (<=) 1.3.4
cpe:2.3:a:hyperkitty_project:hyperkitty:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-33038

EPSS FAQ

0.44%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 75 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-33038

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-33038

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-33038

https://www.debian.org/security/2021/dsa-4922

Debian -- Security Information -- DSA-4922-1 hyperkitty
Third Party Advisory
https://techblog.wikimedia.org/2021/06/11/discovering-and-fixing-cve-2021-33038-in-mailman3/

Discovering and fixing CVE-2021-33038 in Mailman3 – [[WM:TECHBLOG]]
Patch;Third Party Advisory
https://gitlab.com/mailman/hyperkitty/-/issues/380

hyperkitty_import command leaves archives public until import finishes (#380) · Issues · GNU Mailman / HyperKitty · GitLab
Exploit;Issue Tracking;Patch;Third Party Advisory
https://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa

Ensure private archives stay private during import (CVE-2021-33038) (90253245) · Commits · GNU Mailman / HyperKitty · GitLab
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-33038

Products affected by CVE-2021-33038

Exploit prediction scoring system (EPSS) score for CVE-2021-33038

CVSS scores for CVE-2021-33038

CWE ids for CVE-2021-33038

References for CVE-2021-33038