Incubating the new Sympa documentation site

2020-003 Defects in the access restriction of Sympa SOAP/HTTP interface

The Sympa Community 2021-01-06 (Update)


A fix is available for defects in the access restriction of Sympa SOAP/HTTP interface.

Systems Affected

Problem Description

Defects has been discovered in authenticateAndRun call of Sympa SOAP/HTTP interface by which access restriction can be bypassed, and therefore these things are allowed:

As a result, any SOAP call can be executed.

For more details see References.

This problem does not apply to environments where the SOAP/HTTP server (sympa_soap_server.fcgi) is not running.


Attacker can execute any SOAP call by privileges of any Sympa accounts.



or, if you have installed Sympa using earlier version of source distribution,

CVE Numbers




The security flaw was initially reported by Stefan Brenner.

Change log

CC BY-SA 4.0 Unless otherwise specified, the contents of this document are licensed under the Creative Commons - Attribution - ShareAlike license. For more details see LICENSE and AUTHORS.

Theme originally designed by orderedlist