Vulnerability in Mailman, allowing you to find out postal administrator password

Published Corrective Release Mail Shuttle Management Systems GNU Mailman 2.1.35 used to organize developers in a variety of open projects. Two vulnerabilities are fixed in the update: The first vulnerability ( CVE-2021-42096 ) Allows any user signed on the newsletter, to determine the administrator password of this mailing list. Second vulnerability ( CVE-2021-42097 ) makes it possible to make CSRF attack to another distribution user To capture his account. The attack can be performed only by the signed newsletter. MailMan 3 product is not subject to the problem.

Both problems are called by the fact that the CSRF_Token value used to protect against CSRF attacks on the settings page (“Options”) always coincides with the administrator token, and not forms separately for the current session user . When generating CSRF_Token, information about the password is used, which leads to a significant reduction in the password resistance from the definition by the method of extinguishing. Since CSRF_Token, created for one user, is also suitable for another user, an attacker can form a page when opening the commands from the other user name and get control of its account.

/Media reports.