Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.

Sympa community reports :

Unauthorised full access via SOAP API due to illegal cookie

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-11cb6626e2 advisory.

  - Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary     string (except one from an expired cookie) as the cookie value to authenticateAndRun. (CVE-2020-29668)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-a5570c5281 advisory.

  - Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary     string (except one from an expired cookie) as the cookie value to authenticateAndRun. (CVE-2020-29668)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Several vulnerabilities were discovered in Sympa, a mailing list manager, which could result in local privilege escalation, denial of service or unauthorized access via the SOAP API.

Additionally to mitigate CVE-2020-26880 the sympa_newaliases-wrapper is no longer installed setuid root by default. A new Debconf question is introduced to allow setuid installations in setups where it is needed.

Sympa, a modern mailing list manager, grants full SOAP API access by sending invalid string as the cookie value, if the SOAP endpoint was enabled. An attacker could manipulate the mailing lists, including subscribing e-mails or getting the list of subscribers.

For Debian 9 stretch, this problem has been fixed in version 6.2.16~dfsg-3+deb9u5.

We recommend that you upgrade your sympa packages.

For the detailed security status of sympa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sympa

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
149234	FreeBSD : sympa -- Unauthorised full access via SOAP API due to illegal cookie (0add6e6b-6883-11eb-b0cb-f8b156c2bfe9)	Nessus	FreeBSD Local Security Checks	low
144919	Fedora 33 : sympa (2021-11cb6626e2)	Nessus	Fedora Local Security Checks	low
144916	Fedora 32 : sympa (2021-a5570c5281)	Nessus	Fedora Local Security Checks	low
144594	Debian DSA-4818-1 : sympa - security update	Nessus	Debian Local Security Checks	high
144441	Debian DLA-2499-1 : sympa security update	Nessus	Debian Local Security Checks	low

Detections

Analytics

CVE-2020-29668

low

Tenable Plugins

low

low

low

high

low