CVE-2021-40347: 
Python vulnerability analysis and mitigation

CVE-2021-40347 affects GNU Mailman Postorius before version 1.3.5. The vulnerability allows any authenticated user to unsubscribe any other user from a mailing list through a crafted POST request to the unsubscribe endpoint. Additionally, this vulnerability enables the attacker to determine whether a specific email address was subscribed to a list, as the system would reveal this information through error messages (Debian Bug, GitLab Issue).

The vulnerability exists in views/list.py of the Postorius application. The issue stems from the lack of validation to verify whether the user making the unsubscribe request actually owns the email address being unsubscribed. The CVSS v3.1 base score is 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers to unsubscribe any user from any mailing list without authorization. Furthermore, it enables information disclosure by revealing whether specific email addresses are subscribed to mailing lists, potentially exposing private membership information (GitLab Issue).

The vulnerability was fixed in Postorius version 1.3.5 by adding email ownership verification before processing unsubscribe requests. The patch checks if the user making the request owns the email address they are attempting to unsubscribe. For Debian systems, security updates were released as version 1.2.4-1+deb10u1 for oldstable (buster) and version 1.3.4-2+deb11u1 for stable (bullseye) distributions (Debian Security Advisory).