CVE-2021-34337

2023-04-1520:16:00

Google

osv.dev

cve-2021-34337

timing attacks

rest api

password

arbitrary calls

localhost

interfaces

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.3%

JSON

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.

CPENameOperatorVersion
mailmaneq3.1.0rc1
mailmaneq3.1.0.b4
mailmaneq3.0b3
mailmaneq3.0b5-A
mailmaneq3.2.1rc1
mailmaneq3.0a8
mailmaneq3.0b2
mailmaneq3.3.3
mailmaneq3.0
mailmaneq3.3.2