GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0194 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2021-42096:
    GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.

    CVE-2021-42097:
    GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover).

    CVE-2021-44227:
    In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request     (using that token) to set a new admin password or make other changes.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-4826 advisory.

    - Fix for CVE-2021-42096
    - Fix for CVE-2021-42097

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4826 advisory.

    Mailman is a program used to help manage e-mail discussion lists.

    Security Fix(es):

    * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

    * mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:1886-1 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary     JavaScript for XSS. (CVE-2021-43331)

  - In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted     version of the list admin password. This could potentially be cracked by a moderator via an offline brute-     force attack. (CVE-2021-43332)

  - In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request     (using that token) to set a new admin password or make other changes. (CVE-2021-44227)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the mailman package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before     2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an     option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

  - In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request     (using that token) to set a new admin password or make other changes. (CVE-2021-44227)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the mailman package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before     2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an     option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2021:4826 advisory.

    * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

    * mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4838 advisory.

    Mailman is a program used to help manage e-mail discussion lists.

    Security Fix(es):

    * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

    * mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4839 advisory.

    Mailman is a program used to help manage e-mail discussion lists.

    Security Fix(es):

    * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

    * mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4837 advisory.

    Mailman is a program used to help manage e-mail discussion lists.

    Security Fix(es):

    * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

    * mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1436-1 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5121-2 advisory.

    USN-5009-1 fixed vulnerabilities in Mailman. This update provides the corresponding updates for Ubuntu     20.04 LTS. In addition, the following CVEs were fixed:

    It was discovered that Mailman allows arbitrary content injection. An attacker could use this to inject     malicious content. (CVE-2020-12108, CVE-2020-15011)

    It was discovered that Mailman improperly sanitize the MIME content. An attacker could obtain sensitive     information by sending a special type of attachment. (CVE-2020-12137)



Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-2791 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-4991 advisory.

  - /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. (CVE-2020-12108)

  - GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login     page. (CVE-2020-15011)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5121-1 advisory.

    Andre Protas, Richard Cloke, and Andy Nuttall discovered that Mailman did not properly associate cross-     site request forgery (CSRF) tokens to specific accounts. A remote attacker could use this to perform a     CSRF attack to gain access to another account. (CVE-2021-42097)

    Andre Protas, Richard Cloke, and Andy Nuttall discovered that Mailman's cross-site request forgery (CSRF)     tokens for the options page are derived from the admin password. A remote attacker could possibly use this     to assist in performing a brute force attack against the admin password. (CVE-2021-42096)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Mark Sapiro reports :

A potential for for a list member to carry out an off-line brute-force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.

A CSRF attack via the user options page could allow takeover of a users account. This is fixed.

ID	Name	Product	Family	Severity
236005	Alibaba Cloud Linux 3 : 0194: mailman:2.1 (ALINUX3-SA-2022:0194)	Nessus	Alibaba Cloud Linux Local Security Checks	high
180885	Oracle Linux 8 : mailman:2.1 (ELSA-2021-4826)	Nessus	Oracle Linux Local Security Checks	high
165117	RHEL 8 : mailman:2.1 (RHSA-2021:4826)	Nessus	Red Hat Local Security Checks	high
161744	SUSE SLES12 Security Update : mailman (SUSE-SU-2022:1886-1)	Nessus	SuSE Local Security Checks	high
158470	EulerOS 2.0 SP5 : mailman (EulerOS-SA-2022-1277)	Nessus	Huawei Local Security Checks	high
158309	EulerOS 2.0 SP3 : mailman (EulerOS-SA-2022-1177)	Nessus	Huawei Local Security Checks	high
157543	AlmaLinux 8 : mailman:2.1 (ALSA-2021:4826)	Nessus	Alma Linux Local Security Checks	high
155720	RHEL 8 : mailman:2.1 (RHSA-2021:4838)	Nessus	Red Hat Local Security Checks	high
155719	RHEL 8 : mailman:2.1 (RHSA-2021:4839)	Nessus	Red Hat Local Security Checks	high
155718	RHEL 8 : mailman:2.1 (RHSA-2021:4837)	Nessus	Red Hat Local Security Checks	high
154865	openSUSE 15 Security Update : mailman (openSUSE-SU-2021:1436-1)	Nessus	SuSE Local Security Checks	high
154779	Ubuntu 20.04 LTS : Mailman vulnerabilities (USN-5121-2)	Nessus	Ubuntu Local Security Checks	high
154427	Debian DLA-2791-1 : mailman - LTS security update	Nessus	Debian Local Security Checks	high
154354	Debian DSA-4991-1 : mailman - security update	Nessus	Debian Local Security Checks	high
154337	Ubuntu 16.04 ESM / 18.04 LTS : Mailman vulnerabilities (USN-5121-1)	Nessus	Ubuntu Local Security Checks	high
154315	FreeBSD : mailman -- brute-force vuln on list admin password, and CSRF vuln in releases before 2.1.35 (8d65aa3b-31ce-11ec-8c32-a14e8e520dc7)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2021-42096

medium

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high