CVE-2021-43332

MEDIUM

GNU Mailman <2.1.36 - Info Disclosure

Title source: llm

Description

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

References (3)

[Issue Tracking, Patch, Third Party Advisory] https://bugs.launchpad.net/mailman/+bug/1949403

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/06/msg00011.html

[Various Sources] https://mail.python.org/archives/list/mailman-announce%40python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/

Scores

CVSS v3 6.5

EPSS 0.0012

EPSS Percentile 31.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (2)

gnu/mailman < 2.1.36

debian/debian_linux

Timeline

Published Nov 12, 2021

Tracked Since Feb 18, 2026