CVE-2017-7551: 389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on…

critical9.8CVSS 3.0

AVNACLPRNUINSUCHIHAH

389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.

Affected

7 ranges

Vendor	Product	Version range	Fixed in
389_directory_server	389-ds-base	—	—
debian	389-ds-base	< 389-ds-base 1.3.6.7-1 (bookworm)	389-ds-base 1.3.6.7-1 (bookworm)
fedoraproject	389_directory_server	—	—
fedoraproject	389_directory_server	—	—
port389	389-ds-base	>= 0 < 1.3.6.7-1	1.3.6.7-1
port389	389-ds-base	>= 0 < 1.3.6.7-1	1.3.6.7-1
port389	389-ds-base	>= 0 < 1.3.6.7-1	1.3.6.7-1

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL