CVE-2021-40347

2021-09-1000:00:00

ubuntu.com

gnu mailman postorius

unauthorized unsubscription

email addresses

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

50.4%

JSON

An issue was discovered in views/list.py in GNU Mailman Postorius before
1.3.5. An attacker (logged into any account) can send a crafted POST
request to unsubscribe any user from a mailing list, also revealing whether
that address was subscribed in the first place.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpostorius< 1.1.2-3ubuntu0.1UNKNOWN
ubuntu20.04noarchpostorius< 1.2.4-1ubuntu0.1UNKNOWN
ubuntu21.04noarchpostorius< 1.3.4-1ubuntu0.1UNKNOWN
ubuntu21.10noarchpostorius< 1.3.4-2ubuntu0.1UNKNOWN
ubuntu22.04noarchpostorius< 1.3.5-1UNKNOWN
ubuntu22.10noarchpostorius< 1.3.5-1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	postorius	< 1.1.2-3ubuntu0.1	UNKNOWN
ubuntu	20.04	noarch	postorius	< 1.2.4-1ubuntu0.1	UNKNOWN
ubuntu	21.04	noarch	postorius	< 1.3.4-1ubuntu0.1	UNKNOWN
ubuntu	21.10	noarch	postorius	< 1.3.4-2ubuntu0.1	UNKNOWN
ubuntu	22.04	noarch	postorius	< 1.3.5-1	UNKNOWN
ubuntu	22.10	noarch	postorius	< 1.3.5-1	UNKNOWN