Improper access control in Postorius

#VU56454 Improper access control in Postorius

Published: 2021-09-12

Vulnerability identifier: #VU56454

Vulnerability risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-40347

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Postorius
Web applications / Webmail solutions

Vendor: GNU

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in views/list.py. A remote user logged in into any account can send a specially crafted HTTP POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Postorius: 1.0.0 - 1.3.4 rc1

External links
http://gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474b
http://gitlab.com/mailman/postorius/-/tags
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993746
http://gitlab.com/mailman/postorius/-/issues/531
http://phabricator.wikimedia.org/T289798
http://www.debian.org/security/2021/dsa-4970

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for postorius

Improper access control in GNU Mailman Postorius