CVE-2021-3652
MEDIUM389-ds-base < 2.0.7 - Improper Authentication via Asterisk Password Hash
Title source: llmDescription
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
References (4)
Core 4
Core References
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1982782
Patch, Third Party Advisory
https://github.com/389ds/389-ds-base/issues/4817
Scores
CVSS v3
6.5
EPSS
0.0135
EPSS Percentile
67.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-287
Status
published
Products (1)
port389/389-ds-base
< 2.0.7
Published
Apr 18, 2022
Tracked Since
Feb 18, 2026