Vulnerability Details : CVE-2021-34337
An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.
Products affected by CVE-2021-34337
- cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-34337
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-34337
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.3
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.0
|
5.2
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-06 |
|
6.3
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.0
|
5.2
|
NIST |
CWE ids for CVE-2021-34337
-
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2021-34337
-
https://gitlab.com/mailman/mailman/-/issues/911
Not FoundBroken Link
-
https://gitlab.com/mailman/mailman/-/tags
Tags · GNU Mailman / Mailman Core · GitLabRelease Notes
-
https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51
Check the REST API password in a way that is resistant to timing attacks (CVE-2021-34337) (e4a39488) · Commits · GNU Mailman / Mailman Core · GitLabPatch;Vendor Advisory
Jump to