#VU53655 Improper Authorization in HyperKitty - CVE-2021-33038
Published: May 30, 2021
Vulnerability identifier: #VU53655
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-33038
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
HyperKitty
HyperKitty
Software vendor:
GNU
GNU
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to missing authorization checks in "management/commands/hyperkitty_import.py" during import of private mailing list's archives when migrating from Mailman 2 to Mailman 3. A remote attacker can download sensitive information during the import stage, as the archives become available to everybody.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.