Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS2-2022-1740

Related Vulnerabilities: CVE-2016-6893   CVE-2021-42097   CVE-2021-44227  

Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893) A Cross-Site Request Forgery (CSRF) attack can be performed in mailman due to a CSRF token bypass. CSRF tokens are not checked against the right user and a token created by one user can be used by another one to perform a request, effectively bypassing the protection provided by CSRF tokens. A remote attacker with an account on the mailman system can use this flaw to perform a CSRF attack and perform operations on behalf of the victim user. (CVE-2021-42097) A Cross-Site Request Forgery (CSRF) attack can be performed in mailman due to a CSRF token bypass. CSRF tokens are not checked against the right type of user when performing admin operations and a token created by a regular user can be used by an admin to perform an admin-level request, effectively bypassing the protection provided by CSRF tokens. A remote attacker with an account on the mailman system can use this flaw to perform a CSRF attack and perform operations on behalf of the victim admin. (CVE-2021-44227)

Source

ALAS2-2022-1740

Amazon Linux 2 Security Advisory: ALAS-2022-1740
Advisory Release Date: 2022-01-18 21:37 Pacific
Advisory Updated Date: 2022-01-20 19:31 Pacific
Severity: Important
Issue Overview:

Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. (CVE-2016-6893)

A Cross-Site Request Forgery (CSRF) attack can be performed in mailman due to a CSRF token bypass. CSRF tokens are not checked against the right user and a token created by one user can be used by another one to perform a request, effectively bypassing the protection provided by CSRF tokens. A remote attacker with an account on the mailman system can use this flaw to perform a CSRF attack and perform operations on behalf of the victim user. (CVE-2021-42097)

A Cross-Site Request Forgery (CSRF) attack can be performed in mailman due to a CSRF token bypass. CSRF tokens are not checked against the right type of user when performing admin operations and a token created by a regular user can be used by an admin to perform an admin-level request, effectively bypassing the protection provided by CSRF tokens. A remote attacker with an account on the mailman system can use this flaw to perform a CSRF attack and perform operations on behalf of the victim admin. (CVE-2021-44227)


Affected Packages:

mailman


Issue Correction:
Run yum update mailman to update your system.

New Packages:
aarch64:
    mailman-2.1.15-30.amzn2.2.aarch64
    mailman-debuginfo-2.1.15-30.amzn2.2.aarch64

i686:
    mailman-2.1.15-30.amzn2.2.i686
    mailman-debuginfo-2.1.15-30.amzn2.2.i686

src:
    mailman-2.1.15-30.amzn2.2.src

x86_64:
    mailman-2.1.15-30.amzn2.2.x86_64
    mailman-debuginfo-2.1.15-30.amzn2.2.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started