CVE-2006-4624

CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and possibly trick the administrator into visiting malicious URLs via CRLF sequences in the URI.

Published: 2006-09-07 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2006-4624 is rated Low Risk (39.9/100): CVSS Low severity, with medium exploitation likelihood (EPSS 2.75%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2006-4624

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 2.70% 2.75% +0.05%
2 2025-10-01 2.39% 2.70% +0.31%
3 2025-06-16 2.39%

Full EPSS history (19 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2006-4624

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
2.6 2.0 LOW
AV:N/AC:H/Au:N/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:H)
Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
4.9 2.9 [email protected]

Weakness enumeration for CVE-2006-4624

OS Trackers for CVE-2006-4624

vendor priority summary link
redhat low https://access.redhat.com/security/cve/CVE-2006-4624
ubuntu medium CVE-2006-4624 medium priority: Ubuntu including 1 source packages (mailman), 4 status rows across 4 suites (dapper, edgy, feisty, upstream): released 3, needs-triage 1. https://ubuntu.com/security/CVE-2006-4624

Vendor comments (NVD) for CVE-2006-4624

  • Red Hat (2007-09-05T00:00:00)

    Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205651 The Red Hat Security Response Team has rated this issue as having low security impact and expects to release a future update to address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 and 3 which are in maintenance mode. This bug will be addressed in a future update of Red Hat Enterprise Linux 4.

Affected software / configurations for CVE-2006-4624

Vendor Product Version Raw CPE
gnu mailman <= 2.1.8 cpe:2.3:a:gnu:mailman:*:*:*:*:*:*:*:*

References for CVE-2006-4624

URL Tags
http://mail.python.org/pipermail/mailman-announce/2006-September/000087.html
http://moritz-naumann.com/adv/0013/mailmanmulti/0013.txt
http://secunia.com/advisories/21732 Patch Vendor Advisory
http://secunia.com/advisories/22011 Vendor Advisory
http://secunia.com/advisories/22020 Vendor Advisory
http://secunia.com/advisories/22227 Vendor Advisory
http://secunia.com/advisories/22639 Vendor Advisory
http://secunia.com/advisories/27669 Vendor Advisory
http://security.gentoo.org/glsa/glsa-200609-12.xml
http://sourceforge.net/project/shownotes.php?group_id=103&release_id=444295 Patch
http://svn.sourceforge.net/viewvc/mailman/trunk/mailman/Mailman/Utils.py?r1=7859&r2=7923
http://www.debian.org/security/2006/dsa-1188
http://www.mandriva.com/security/advisories?name=MDKSA-2006:165
http://www.novell.com/linux/security/advisories/2006_25_sr.html
http://www.redhat.com/support/errata/RHSA-2007-0779.html
http://www.securityfocus.com/archive/1/445992/100/0/threaded
http://www.securityfocus.com/bid/19831
http://www.securityfocus.com/bid/20021
http://www.vupen.com/english/advisories/2006/3446
https://exchange.xforce.ibmcloud.com/vulnerabilities/28734
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9756
cvelogic Threat Intelligence