Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <62e9c3e0-dd06-4d88-8192-1d0add89d0c8@oracle.com>
Date: Mon, 21 Apr 2025 09:08:33 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: 3 new CVE's in old branch of GNU mailman

3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with cPanel
and WHM, credited to Firudin Davudzada and Musazada Aydan.

Note that upstream declared GNU Mailman 2.1 (which requires Python 2), to be
end of life back in 2020, and recommends migrations to Mailman 3 (which
uses Python 3 instead):
https://mail.python.org/archives/list/mailman-announce@python.org/thread/TJLEX52N2ARNOQBC2ZNYMNV5U226R5NM/


CVE-2025-43919: Directory Traversal in GNU Mailman 2.1.39 (cPanel/WHM Bundle)
Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43919

    GNU Mailman 2.1.39, as bundled with cPanel and WHM, contains a critical
    directory traversal vulnerability in the /mailman/private/mailman endpoint.
    Unauthenticated attackers can exploit this flaw to read arbitrary files on
    the server, such as /etc/passwd or Mailman configuration files, due to
    insufficient input validation in the private.py CGI script.


CVE-2025-43920: Command Injection via Email Subject in GNU Mailman 2.1.39 (cPanel/WHM Bundle)
Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43920

    GNU Mailman 2.1.39, as bundled with cPanel and WHM, is vulnerable to a
    critical command injection flaw that allows unauthenticated attackers
    to execute arbitrary operating system commands. The vulnerability occurs
    when an external archiver is configured using PUBLIC_EXTERNAL_ARCHIVER or
    PRIVATE_EXTERNAL_ARCHIVER in the mm_cfg.py configuration file, and the
    email subject line contains shell metacharacters that are not properly
    sanitized.


CVE-2025-43921: Unauthenticated Mailing List Creation in GNU Mailman 2.1.39 (cPanel/WHM Bundle)
Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43921

    GNU Mailman 2.1.39, as bundled with cPanel and WHM, is vulnerable to an
    authentication bypass flaw that allows unauthenticated attackers to create
    mailing lists via the /mailman/create endpoint. The issue stems from missing
    access controls in the create CGI script, enabling attackers to abuse the
    mailing system for spam, phishing, or resource exhaustion.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.