CVE-2021-3652

Publication date 18 April 2022

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.5 · Medium

Score breakdown

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.

Read the notes from the security team

Status

Package Ubuntu Release Status
389-ds-base 22.04 LTS jammy
Not affected
21.10 impish
Not affected
21.04 hirsute
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty Not in release

Notes


ccdm94

this CVE is very similar to CVE-2017-15135. The patch for CVE-2017-15135 seems to fix this issue. CVE-2017-15135 was introduced in a patch for CVE-2016-5405, not applied in trusty and xenial. The patch for CVE-2017-15135 is included in the package for releases following xenial.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
389-ds-base

Severity score breakdown

Parameter Value
Base score 6.5 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N