Vulnerability Description
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Port389 | 389-Ds-Base | < 2.0.7 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1982782Issue TrackingThird Party Advisory
- https://github.com/389ds/389-ds-base/issues/4817PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1982782Issue TrackingThird Party Advisory
- https://github.com/389ds/389-ds-base/issues/4817PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html
FAQ
What is CVE-2021-3652?
CVE-2021-3652 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authenti...
How severe is CVE-2021-3652?
CVE-2021-3652 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3652?
Check the references section above for vendor advisories and patch information. Affected products include: Port389 389-Ds-Base.