CVE-2021-34337

MEDIUM

Mailman Core <3.3.5 - Info Disclosure

Title source: llm

Description

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.

References (3)

[Patch, Vendor Advisory] https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51

View Patch ZIP pw:eip

[Broken Link] https://gitlab.com/mailman/mailman/-/issues/911

[Release Notes] https://gitlab.com/mailman/mailman/-/tags

Scores

CVSS v3 6.3

EPSS 0.0017

EPSS Percentile 37.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-208

Status published

Products (2)

gnu/mailman < 3.3.5

pypi/mailman 0 - 3.3.5PyPI

Published Apr 15, 2023

Tracked Since Feb 18, 2026