CVE-2021-43332

Vulnerability

In GNU Mailman versions before 2.1.36, the CSRF (Cross-Site Request Forgery) token used on the Cgi/admindb.py admindb page is constructed by encrypting the list administrator password. This design flaw means that any observer who can access the CSRF token (e.g., a list moderator viewing the admindb page source) obtains the encrypted password material, which can then be subjected to offline brute-force analysis [1]. The affected versions are all releases prior to 2.1.36 [2].

Exploitation

An attacker who holds a list moderator role and thus has legitimate access to the admindb page can extract the CSRF token value from the page's HTML or network traffic. Because the token embeds the encrypted administrator password, the moderator can then perform an offline brute-force attack to recover the plaintext password. No authentication other than moderator-level access is required; the attacker does not need to be a list administrator [1].

Impact

Successful exploitation allows a list moderator to discover the plaintext list administrator password. With this password, the attacker can then assume full administrative control over the mailing list, leading to potential compromise of list configuration, subscriber data, and mailing list operations. The confidentiality of the admin password is breached, and the attacker gains elevated privileges beyond their moderator role [1][2].

Mitigation

The vulnerability is fixed in GNU Mailman version 2.1.36, released on 2021-11-12 [2]. Users should upgrade to this version or apply the security patches provided by the project for earlier versions. Mailman 2.1.30 was the last feature release, but the project intends to provide patch releases for security issues. No workaround is specified in the references for this CVE; upgrading is the recommended action [2].