Wiz
Vulnerability DatabaseCVE-2021-46900

CVE-2021-46900
NixOS vulnerability analysis and mitigation

Overview

Sympa before version 6.2.62 contains a security vulnerability related to its cookie parameter implementation. The vulnerability, identified as CVE-2021-46900, was discovered where the system relies on a cookie parameter for critical security functions but fails to ensure its existence and unpredictability. This parameter serves dual purposes: as a salt for stored passwords and as an XSS protection mechanism in message archives (Sympa Advisory).

Technical details

The vulnerability stems from the cookie parameter in the sympa.conf configuration file being used to generate unpredictable identifiers for the system. This parameter was specifically utilized as a salt for password encryption using the RC4 symmetric key algorithm (which is no longer considered secure) and as a protection mechanism against XSS attacks in message archives. The implementation had two critical flaws: the parameter needed to be unique per installation but couldn't be changed once set, and even when properly configured, it wasn't strong enough to resist brute force attacks (Sympa Advisory, GitHub Issue).

Impact

The vulnerability's impact is significant as it could allow attackers to achieve XSS attacks in message archives. Additionally, the weak implementation of the salt for stored passwords could potentially make password cracking easier. The issue is particularly severe for installations operating without setting the cookie parameter, as this completely invalidates the intended security measures (Sympa Advisory).

Mitigation and workarounds

For systems that cannot immediately upgrade to the latest version, a temporary workaround is available. Administrators should set a value for the cookie parameter to mitigate security risks. However, for versions 6.2.40 or earlier, administrators must first upgrade RC4-encrypted passwords using upgrade_sympa_password.pl (for version 6.2.16 or later) or sympa.pl --md5_encode_password (for earlier versions). After setting the parameter, all Sympa services (Sympa services, WWSympa, Sympa SOAP service) must be restarted. The permanent solution is to upgrade to Sympa 6.2.62 or later, which no longer uses the cookie parameter (Sympa Advisory).

Additional resources

SourceThis report was generated using AI

Related NixOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-22783HIGH8.1
  • NixOSNixOS
  • iris
NoYesJan 12, 2026
CVE-2026-0821MEDIUM6.9
  • NixOSNixOS
  • quickjs
NoNoJan 10, 2026
CVE-2025-68949MEDIUM5.3
  • NixOSNixOS
  • n8n
NoYesJan 13, 2026
CVE-2026-22784LOW2.3
  • NixOSNixOS
  • lychee
NoYesJan 12, 2026
CVE-2026-23497LOW1.3
  • NixOSNixOS
  • learning
NoYesJan 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo