CVE-2021-44227

Vulnerability

In GNU Mailman versions prior to 2.1.38, a cross-site request forgery (CSRF) vulnerability exists. A list member or moderator can obtain a valid CSRF token from an admindb or options page and then craft a malicious POST request to the admin interface. This allows changing the list admin password or performing other administrative actions. The vulnerability is present in all versions before 2.1.38. [1], [2]

Exploitation

An attacker needs to be a list member or moderator to obtain a CSRF token from a legitimate page. They must then convince a list administrator to visit a crafted web page that submits the forged request. The attacker uses the token to impersonate the admin and submit a POST request to the admin page, e.g., to change the list admin password. [2]

Impact

If successful, the attacker can change the list admin password or other list settings, leading to unauthorized administrative access. This compromises the confidentiality and integrity of the mailing list administration. The attacker gains the ability to manage the list, potentially affecting all subscribers. [1], [2]

Mitigation

The vulnerability is fixed in GNU Mailman version 2.1.38, released on 2021-11-26. Users should upgrade to this version or later. No workarounds are documented. The fix was released as part of the normal release cycle. [2]