oss-sec mailing list archives
Re: 3 new CVE's in old branch of GNU mailman
From: Jeremy Reeder <jeremy.reeder () webpros com>
Date: Thu, 8 May 2025 17:48:39 +0000
We at cPanel have investigated these claimed vulnerabilities, both internally and via third-party subject-matter experts. We are unable to reproduce the claims using the information provided by the reporter. We do not consider these vulnerabilities to be valid, and we’re in the process of disputing them. Jeremy Reeder | Application Security Engineer On 4/21/25, 10:08, "Alan Coopersmith" <alan.coopersmith () oracle com> wrote: 3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with cPanel and WHM, credited to Firudin Davudzada and Musazada Aydan. Note that upstream declared GNU Mailman 2.1 (which requires Python 2), to be end of life back in 2020, and recommends migrations to Mailman 3 (which uses Python 3 instead): mailman-announce () python org<https://mail.python.org/archives/list/%3ca%20href=>/thread/TJLEX52N2ARNOQBC2ZNYMNV5U226R5NM/">https://mail.python.org/archives/list/mailman-announce () python org<mailto:mailman-announce () python org>/thread/TJLEX52N2ARNOQBC2ZNYMNV5U226R5NM/ CVE-2025-43919: Directory Traversal in GNU Mailman 2.1.39 (cPanel/WHM Bundle) Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43919 GNU Mailman 2.1.39, as bundled with cPanel and WHM, contains a critical directory traversal vulnerability in the /mailman/private/mailman endpoint. Unauthenticated attackers can exploit this flaw to read arbitrary files on the server, such as /etc/passwd or Mailman configuration files, due to insufficient input validation in the private.py CGI script. CVE-2025-43920: Command Injection via Email Subject in GNU Mailman 2.1.39 (cPanel/WHM Bundle) Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43920 GNU Mailman 2.1.39, as bundled with cPanel and WHM, is vulnerable to a critical command injection flaw that allows unauthenticated attackers to execute arbitrary operating system commands. The vulnerability occurs when an external archiver is configured using PUBLIC_EXTERNAL_ARCHIVER or PRIVATE_EXTERNAL_ARCHIVER in the mm_cfg.py configuration file, and the email subject line contains shell metacharacters that are not properly sanitized. CVE-2025-43921: Unauthenticated Mailing List Creation in GNU Mailman 2.1.39 (cPanel/WHM Bundle) Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43921 GNU Mailman 2.1.39, as bundled with cPanel and WHM, is vulnerable to an authentication bypass flaw that allows unauthenticated attackers to create mailing lists via the /mailman/create endpoint. The issue stems from missing access controls in the create CGI script, enabling attackers to abuse the mailing system for spam, phishing, or resource exhaustion. -- -Alan Coopersmith- alan.coopersmith () oracle com<mailto:alan.coopersmith () oracle com> Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- 3 new CVE's in old branch of GNU mailman Alan Coopersmith (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Valtteri Vuorikoski (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Thomas Ward (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Valtteri Vuorikoski (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Jim P. (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Thomas Ward (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Valtteri Vuorikoski (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Mats Wichmann (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Russ Allbery (Apr 21)
- <Possible follow-ups>
- Re: 3 new CVE's in old branch of GNU mailman Jeremy Reeder (May 08)