Improper Authorization in HyperKitty

#VU53655 Improper Authorization in HyperKitty

Published: 2021-05-30

Vulnerability identifier: #VU53655

Vulnerability risk: Low

CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2021-33038

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HyperKitty
Web applications / Remote management & hosting panels

Vendor: GNU

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing authorization checks in "management/commands/hyperkitty_import.py" during import of private mailing list's archives when migrating from Mailman 2 to Mailman 3. A remote attacker can download sensitive information during the import stage, as the archives become available to everybody.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

HyperKitty: 0.1.2 - 1.3.4 rc2

External links
http://gitlab.com/mailman/hyperkitty/-/issues/380
http://gitlab.com/mailman/hyperkitty/-/commit/9025324597d60b2dff740e49b70b15589d6804fa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for hyperkitty

Missing authorization in HyperKitty