GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-4826 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4826 advisory.

  - mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the mailman package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before     2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an     option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

  - In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request     (using that token) to set a new admin password or make other changes. (CVE-2021-44227)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the mailman package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before     2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an     option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2021:4826 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the SLSA-2021:4913-1 advisory.

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

  - mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227)

  - mailman: CSRF protection missing in the user options page (CVE-2016-6893)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:4913 advisory.

  - mailman: CSRF protection missing in the user options page (CVE-2016-6893)

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

  - mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-4913 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

  - In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request     (using that token) to set a new admin password or make other changes. (CVE-2021-44227)

  - Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before     2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an     option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4913 advisory.

  - mailman: CSRF protection missing in the user options page (CVE-2016-6893)

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

  - mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4838 advisory.

  - mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4839 advisory.

  - mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:4837 advisory.

  - mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096)

  - mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1436-1 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5121-2 advisory.

  - /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. (CVE-2020-12108)

  - GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts.
    This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an     archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the     MIME type should have been text/html, and execute JavaScript code. (CVE-2020-12137)

  - GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login     page. (CVE-2020-15011)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-2791 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-4991 advisory.

  - /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. (CVE-2020-12108)

  - GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login     page. (CVE-2020-15011)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5121-1 advisory.

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived     from the admin password, and may be useful in conducting a brute-force attack against that password.
    (CVE-2021-42096)

  - GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a     single user account. An attacker can obtain a value within the context of an unprivileged user account,     and then use that value in a CSRF attack against an admin (e.g., for account takeover). (CVE-2021-42097)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Mark Sapiro reports :

A potential for for a list member to carry out an off-line brute-force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.

A CSRF attack via the user options page could allow takeover of a users account. This is fixed.

ID	Name	Product	Family	Severity
180885	Oracle Linux 8 : mailman:2.1 (ELSA-2021-4826)	Nessus	Oracle Linux Local Security Checks	high
165117	RHEL 8 : mailman:2.1 (RHSA-2021:4826)	Nessus	Red Hat Local Security Checks	high
158470	EulerOS 2.0 SP5 : mailman (EulerOS-SA-2022-1277)	Nessus	Huawei Local Security Checks	high
158309	EulerOS 2.0 SP3 : mailman (EulerOS-SA-2022-1177)	Nessus	Huawei Local Security Checks	high
157543	AlmaLinux 8 : mailman:2.1 (ALSA-2021:4826)	Nessus	Alma Linux Local Security Checks	high
155949	Scientific Linux Security Update : mailman on SL7.x x86_64 (2021:4913)	Nessus	Scientific Linux Local Security Checks	high
155863	CentOS 7 : mailman (CESA-2021:4913)	Nessus	CentOS Local Security Checks	high
155844	Oracle Linux 7 : mailman (ELSA-2021-4913)	Nessus	Oracle Linux Local Security Checks	high
155833	RHEL 7 : mailman (RHSA-2021:4913)	Nessus	Red Hat Local Security Checks	high
155720	RHEL 8 : mailman:2.1 (RHSA-2021:4838)	Nessus	Red Hat Local Security Checks	high
155719	RHEL 8 : mailman:2.1 (RHSA-2021:4839)	Nessus	Red Hat Local Security Checks	high
155718	RHEL 8 : mailman:2.1 (RHSA-2021:4837)	Nessus	Red Hat Local Security Checks	high
154865	openSUSE 15 Security Update : mailman (openSUSE-SU-2021:1436-1)	Nessus	SuSE Local Security Checks	high
154779	Ubuntu 20.04 LTS : Mailman vulnerabilities (USN-5121-2)	Nessus	Ubuntu Local Security Checks	high
154427	Debian DLA-2791-1 : mailman - LTS security update	Nessus	Debian Local Security Checks	high
154354	Debian DSA-4991-1 : mailman - security update	Nessus	Debian Local Security Checks	high
154337	Ubuntu 16.04 ESM / 18.04 LTS : Mailman vulnerabilities (USN-5121-1)	Nessus	Ubuntu Local Security Checks	high
154315	FreeBSD : mailman -- brute-force vuln on list admin password, and CSRF vuln in releases before 2.1.35 (8d65aa3b-31ce-11ec-8c32-a14e8e520dc7)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2021-42097

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high