CVE-2021-42097: 
Alma Linux vulnerability analysis and mitigation

GNU Mailman before version 2.1.35 contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2021-42097. The vulnerability was discovered by Andre Protas, Richard Cloke, and Andy Nuttall of Apple and was disclosed on October 21, 2021. The issue affects the user options page where a csrf_token value is not specific to a single user account (Python Announce, NVD).

The vulnerability stems from improper CSRF token handling where a token generated for one user session can be considered valid for another user session. The CVSS v3.1 base score is 8.0 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (CSRF) (NVD).

An attacker can obtain a CSRF token value within the context of an unprivileged user account and then use that value in a CSRF attack against another user, potentially leading to account takeover. The attack can only be carried out by list members, which may limit the impact for sites with only trusted list members (Python Announce).

The vulnerability was fixed in GNU Mailman version 2.1.35. Various Linux distributions have released security updates to address this vulnerability, including Debian (version 1:2.1.29-1+deb10u2) and Red Hat Enterprise Linux. Organizations are advised to upgrade to the patched version (Debian Security, Red Hat).