Mailman-2.1.x vulnerabilities found
Just received word about those three:
https://github.com/0NYX-MY7H/CVE-2025-43921 -- wasn't able to reproduce on 2.1.39
https://github.com/0NYX-MY7H/CVE-2025-43920 -- wasn't able to reproduce on 2.1.39, due to not using an *_EXTERNAL_ARCHIVER
https://github.com/0NYX-MY7H/CVE-2025-43919 -- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman
-- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155 ralf.hildebrandt@charite.de https://www.charite.de
On Tue, Apr 29, 2025 at 9:32 AM Ralf Hildebrandt via Mailman-Users < mailman-users@python.org> wrote:
Just received word about those three:
https://github.com/0NYX-MY7H/CVE-2025-43921 -- wasn't able to reproduce on 2.1.39
Same for me. All this "exploit" gets me is the list creation page, which still requires an admin password to execute the creation of the list.
https://github.com/0NYX-MY7H/CVE-2025-43920 -- wasn't able to reproduce on 2.1.39, due to not using an *_EXTERNAL_ARCHIVER
Also can't test this one, same reason.
https://github.com/0NYX-MY7H/CVE-2025-43919 -- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman
I get back the standard private archives authentication page.
It seems like these exploits were only tested on the cPanel fork of mailman 2.x, but the CVEs are ambiguous on that point. I'd be interested in hearing back from the maintainers what they think. We were already planning a 3.x migration, and can move faster if we have to, but if this doesn't affect us we can just proceed on our planned schedule. <matt@conundrum.com>
On 4/29/25 06:31, Ralf Hildebrandt via Mailman-Users wrote:
Just received word about those three:
https://github.com/0NYX-MY7H/CVE-2025-43921 -- wasn't able to reproduce on 2.1.39
https://github.com/0NYX-MY7H/CVE-2025-43920 -- wasn't able to reproduce on 2.1.39, due to not using an *_EXTERNAL_ARCHIVER
https://github.com/0NYX-MY7H/CVE-2025-43919 -- wasn't able to reproduce on 2.1.39, getting "Access denied" from Mailman
They are bogus. CVE-2025-43919 and CVE-2025-43921 ignore the fact that the attacker would need to provide authentication which the proof of concept attacks do not do and hence do not work. Thus, there is no vulnerability.
CVE-2025-43920 relies on a convoluted configuration with an external archiver and only involves Mailman in the attack as an agent that forwards a message with a crafted Subject: to the external archiver and that attack could just as well be carried out by sending the mail to the archiver directly. There are no plans to address this in Mailman 2.1.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Mark Sapiro -
Matthew Pounsett -
Ralf Hildebrandt