oss-sec mailing list archives

Re: 3 new CVE's in old branch of GNU mailman

From: Valtteri Vuorikoski <vuori () notcom org>
Date: Mon, 21 Apr 2025 19:48:02 +0300

On Mon, Apr 21, 2025 at 09:08:33AM -0700, Alan Coopersmith wrote:

3 new CVE's have been published for GNU Mailman 2.1.39, as bundled with cPanel
and WHM, credited to Firudin Davudzada and Musazada Aydan.

CVE-2025-43919: Directory Traversal in GNU Mailman 2.1.39 (cPanel/WHM Bundle)
Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43919

[…]

CVE-2025-43921: Unauthenticated Mailing List Creation in GNU Mailman 2.1.39 (cPanel/WHM Bundle)
Details/POC: https://github.com/0NYX-MY7H/CVE-2025-43921


I saw these mentioned earlier and could not reproduce either on a stock 2.1.39
install. Looking at the code that handles the "private" endpoint, it's also hard
to see a route from the username POST parameter to path construction.

Are these vulnerabilities due to modifications made by the vendor (cPanel LLC) to
their distributed version?

 -Valtteri

Current thread:

3 new CVE's in old branch of GNU mailman Alan Coopersmith (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Valtteri Vuorikoski (Apr 21)
  - Re: 3 new CVE's in old branch of GNU mailman Thomas Ward (Apr 21)
    - Re: 3 new CVE's in old branch of GNU mailman Valtteri Vuorikoski (Apr 21)
    - Re: 3 new CVE's in old branch of GNU mailman Jim P. (Apr 21)
- Re: 3 new CVE's in old branch of GNU mailman Mats Wichmann (Apr 21)
  - Re: 3 new CVE's in old branch of GNU mailman Russ Allbery (Apr 21)
- <Possible follow-ups>
- Re: 3 new CVE's in old branch of GNU mailman Jeremy Reeder (May 08)