CVE-2021-3652

Published: Apr 18, 2022Modified: Nov 3, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.

Affected (1)

Products: Port389: 389 Ds Base

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Port389 389 Ds Base	Before 2.0.7

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (7)

https://bugzilla.redhat.com/show_bug.cgi?id=1982782

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://github.com/389ds/389-ds-base/issues/4817

Source: secalert@redhat.com

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1982782

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://github.com/389ds/389-ds-base/issues/4817

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.