CVE-2021-3652Improper Authentication in 389-ds-base

CWE-287Improper Authentication6 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 69.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Port389 389-ds-base
Timeline
PublishedApr 18
Latest updateApr 19

Description

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

NVDport389/389-ds-base< 2.0.7
Debianport389/389-ds-base< 1.4.4.11-2+deb11u1+2
CVEListV5port389/389-ds-base389-ds-base 2.0.7

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-qc73-mcqm-3m29: A flaw was found in 389-ds-base2022-04-19
CVEList
CVE-2021-3652: A flaw was found in 389-ds-base2022-04-18
OSV
CVE-2021-3652: A flaw was found in 389-ds-base2022-04-18

📋Vendor Advisories

2
Red Hat
389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed2021-06-29
Debian
CVE-2021-3652: 389-ds-base - A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, ...2021
CVE-2021-3652 — Improper Authentication in 389-ds-base | cvebase