| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Private key recovery |
|
| Description |
| + |
A security issue has been found in HyperKitty before version 1.3.5, where the secret archiver key is vulnerable to timing attacks. This is only exploitable if you can send a request from a approved IP listed in MAILMAN_ARCHIVER_FROM. |
|
| References |
| + |
https://gitlab.com/mailman/hyperkitty/-/blob/1.3.5/doc/news.rst#security |
| + |
https://gitlab.com/mailman/hyperkitty/-/issues/387 |
| + |
https://gitlab.com/mailman/hyperkitty/-/merge_requests/354 |
| + |
https://gitlab.com/mailman/hyperkitty/-/commit/b415d29d6cc59b3270c35b03ba3313dd03450271 |
|