Miggo Logo
Miggo Vulnerability Database
CVE-2021-40347

CVE-2021-40347: GNU Mailman Postorius Access Control Issues

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-40347
GHSA ID
GHSA-v83x-78q3-gr2j
EPSS Score
0.4405%
CWE
CWE-284
Published
5/24/2022
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
postoriuspip< 1.3.51.3.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the ListUnsubscribeView's post handler lacking ownership verification. The security patch adds an explicit check comparing the submitted email against the user's verified addresses. The unpatched version of this view function would appear in profiler traces when handling malicious unsubscribe requests, as it's the direct entry point for processing unsubscribe operations. The function signature matches the Django class-based view structure (Class.method) that would appear in stack traces.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in `vi*ws/list.py` in *NU M*ilm*n Postorius ***or* *.*.*. *n *tt**k*r (lo**** into *ny ***ount) **n s*n* * *r**t** POST r*qu*st to unsu*s*ri** *ny us*r *rom * m*ilin* list, *lso r*v**lin* w**t**r t**t ***r*ss w*s su*s*ri*** in

Reasoning

T** vuln*r**ility st*ms *rom t** `ListUnsu*s*ri**Vi*w`'s post **n*l*r l**kin* own*rs*ip v*ri*i**tion. T** s**urity p*t** ***s *n *xpli*it ****k *omp*rin* t** su*mitt** *m*il ***inst t** us*r's v*ri*i** ***r*ss*s. T** unp*t**** v*rsion o* t*is vi*w `*