CVE-2021-34337

Publication date 15 April 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.3 · Medium

Score breakdown

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.

Status

Package Ubuntu Release Status
mailman3 24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic
Not affected
23.04 lunar
Not affected
22.10 kinetic Not in release
22.04 LTS jammy Not in release
21.10 impish Ignored end of life
20.04 LTS focal
Vulnerable
18.04 LTS bionic
Vulnerable
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support

Severity score breakdown

Parameter Value
Base score 6.3 · Medium
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N