CVE-2020-29668

LOW

Sympa <6.2.59b.2 - Info Disclosure

Title source: llm

Description

Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.

References (8)

[Exploit, Patch, Third Party Advisory] https://github.com/sympa-community/sympa/issues/1041

[Patch, Third Party Advisory] https://github.com/sympa-community/sympa/pull/1044

[Release Notes, Third Party Advisory] https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md

View Writeup ZIP pw:eip

[Mailing List, Third Party Advisory] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4818

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JICIHAJKKCZXJNIICUDYXGZFQCN6J4U6/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y/

Scores

CVSS v3 3.7

EPSS 0.0104

EPSS Percentile 77.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-287 CWE-565

Status published

Products (6)

debian/debian_linux 9.0

debian/debian_linux 10.0

fedoraproject/fedora 32

fedoraproject/fedora 33

sympa/sympa 6.2.59 beta1

sympa/sympa < 6.2.58

Published Dec 10, 2020

Tracked Since Feb 18, 2026