Lucene search

AmazonALAS2-2018-985

HistoryApr 05, 2018 - 4:09 p.m.

Medium: mailman

2018-04-0516:09:00

alas.aws.amazon.com

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

64.5%

JSON

Issue Overview:

Cross-site scripting (XSS) vulnerability in web UI
A cross-site scripting (XSS) flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user’s side and force the victim to perform unintended actions. (CVE-2018-5950)

Affected Packages:

mailman

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update mailman to update your system.

New Packages:

src:  
    mailman-2.1.15-26.amzn2.1.src  
  
x86_64:  
    mailman-2.1.15-26.amzn2.1.x86_64  
    mailman-debuginfo-2.1.15-26.amzn2.1.x86_64

Additional References

Red Hat: CVE-2018-5950

Mitre: CVE-2018-5950

OSVersionArchitecturePackageVersionFilename
Amazon Linux2x86_64mailman< 2.1.15-26.amzn2.1mailman-2.1.15-26.amzn2.1.x86_64.rpm
Amazon Linux2x86_64mailman-debuginfo< 2.1.15-26.amzn2.1mailman-debuginfo-2.1.15-26.amzn2.1.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	x86_64	mailman	< 2.1.15-26.amzn2.1	mailman-2.1.15-26.amzn2.1.x86_64.rpm
Amazon Linux	2	x86_64	mailman-debuginfo	< 2.1.15-26.amzn2.1	mailman-debuginfo-2.1.15-26.amzn2.1.x86_64.rpm