Bug 2020568 (CVE-2021-42097)
| Summary: | CVE-2021-42097 mailman: CSRF token bypass allows to perform CSRF attacks and account takeover | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | extras-orphan, infra-sig, jkaluza, jorton, mosvald, ngompa13 |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mailman 2.1.35 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A Cross-Site Request Forgery (CSRF) attack can be performed in mailman due to a CSRF token bypass. CSRF tokens are not checked against the right user and a token created by one user can be used by another one to perform a request, effectively bypassing the protection provided by CSRF tokens. A remote attacker with an account on the mailman system can use this flaw to perform a CSRF attack and perform operations on behalf of the victim user.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-24 09:08:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2020569, 2020688, 2020689, 2020690, 2020691, 2020692, 2020693 | ||
| Bug Blocks: | 2020570 | ||
|
Description
Marian Rehak
2021-11-05 10:07:47 UTC
Created mailman tracking bugs for this issue: Affects: fedora-all [bug 2020569] CSRF tokens generated for one user may be used to perform operations on another user, defeating the purpose of the CSRF token itself considering that an attacker can craft a CSRF token for a fake account and use that to perform the operation while the victim user is connected to the mailman list. The checking function, csrf_check(), checks whether the token is valid but it validates the data with the secret of the user found in the token itself, which could be different from the user that performed the request. A Cross-Site Request Forgery (CSRF) attack can be performed by using such CSRF token. This attack can be used to perform operations on behalf of the victim user or even take over his account. Privileged Required set to Low (PR:L) because an attacker needs to have a valid account on the mailman system in order for the CSRF token to be considered valid, even if for the wrong user. Although the version of mailman shipped in RHEL7 does not support CSRF tokens for user pages, it does use them for the admin operations (e.g. changing the password of the site admin). An attacker could perform a CSRF attack on a victim admin by using a user-based CSRF token to take control of the admin mailman user. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4826 https://access.redhat.com/errata/RHSA-2021:4826 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:4838 https://access.redhat.com/errata/RHSA-2021:4838 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:4837 https://access.redhat.com/errata/RHSA-2021:4837 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4839 https://access.redhat.com/errata/RHSA-2021:4839 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-42097 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:4913 https://access.redhat.com/errata/RHSA-2021:4913 |