CVE-2021-40347

NameCVE-2021-40347
DescriptionAn issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4970-1
Debian Bugs993746

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postorius (PTS)buster1.2.4-1vulnerable
buster (security)1.2.4-1+deb10u1fixed
bullseye1.3.4-2vulnerable
bullseye (security)1.3.4-2+deb11u1fixed
bookworm, sid1.3.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postoriussourcebuster1.2.4-1+deb10u1DSA-4970-1
postoriussourcebullseye1.3.4-2+deb11u1DSA-4970-1
postoriussource(unstable)1.3.5-1993746

Notes

https://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
https://phabricator.wikimedia.org/T289798

Search for package or bug name: Reporting problems