CVE-2021-34337
low-risk
Published 2023-04-15
An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.
Do I need to act?
-
0.42% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.3/10
Medium
LOCAL
/ HIGH complexity
Affected Products (1)
Mailman
Affected Vendors
References (6)
Broken Link
https://gitlab.com/mailman/mailman/-/issues/911
Release Notes
https://gitlab.com/mailman/mailman/-/tags
Broken Link
https://gitlab.com/mailman/mailman/-/issues/911
Release Notes
https://gitlab.com/mailman/mailman/-/tags
23
/ 100
low-risk
Severity
16/34 · Moderate
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal