Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-3652

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.

Published

2022-04-18T17:15:15.443

Last Modified

2024-11-21T06:22:04.567

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-287
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	port389	389-ds-base	< 2.0.7	Yes

References

https://bugzilla.redhat.com/show_bug.cgi?id=1982782 Issue Tracking, Third Party Advisory ([email protected])
https://github.com/389ds/389-ds-base/issues/4817 Patch, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1982782 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/389ds/389-ds-base/issues/4817 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html (af854a3a-2127-422b-91ae-364da2661108)