CVE-2021-34337

EPSS 0.51%
Published 15.04.2023 20:16:00
Last modified 06.02.2025 17:15:12
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Gnu ≫ Mailman Version < 3.3.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.51%	0.653

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.3	1	5.2	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.3	1	5.2	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51

Patch

Vendor Advisory

https://gitlab.com/mailman/mailman/-/issues/911

Broken Link

https://gitlab.com/mailman/mailman/-/tags

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2021-34337

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-34337

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-34337

EUVD