Mailman Core vulnerable to timing attacks
Moderate severity
GitHub Reviewed
Published
Apr 15, 2023
to the GitHub Advisory Database
•
Updated Apr 25, 2023
Description
Published by the National Vulnerability Database
Apr 15, 2023
Published to the GitHub Advisory Database
Apr 15, 2023
Reviewed
Apr 18, 2023
Last updated
Apr 25, 2023
An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces.
References