CVE-2021-42096

Vulnerability

GNU Mailman versions before 2.1.35 contain a privilege escalation vulnerability in the options page. The csrf_token value for authenticated user sessions on that page is always an admin token rather than a user-specific token. This admin token is derived from the hashed list admin password [1][2]. Exploitation is limited to list members, because only authenticated members can access the options page [3].

Exploitation

An attacker must be a member of the target mailing list with valid credentials or a valid session. The attacker accesses their own options page and extracts the csrf_token value. Because this token is computed from the list admin password (via a deterministic function), the attacker can perform an offline brute-force attack against the token to recover the admin password [2]. The attack does not require any other privileges or user interaction beyond being a member.

Impact

If the brute-force attack succeeds, the attacker gains the list admin password. With that password, the attacker can assume full administrative control of the mailing list. This compromises the confidentiality of the admin account and can lead to modification or disclosure of list settings, membership data, and archives. The CVE is classified as a privilege escalation [1].

Mitigation

Fix is available in GNU Mailman 2.1.35, released on 2021-10-21 [1][3]. Sites that cannot upgrade can apply the patch referenced in the mailman-announce list [3]. No workaround other than upgrading or patching is documented. The issue does not affect non-public lists with only trusted members, where the attack surface is considered low [3].