CVE-2021-3652
Publication date 18 April 2022
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
Status
Package | Ubuntu Release | Status |
---|---|---|
389-ds-base | 22.04 LTS jammy |
Not affected
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release |
Notes
ccdm94
this CVE is very similar to CVE-2017-15135. The patch for CVE-2017-15135 seems to fix this issue. CVE-2017-15135 was introduced in a patch for CVE-2016-5405, not applied in trusty and xenial. The patch for CVE-2017-15135 is included in the package for releases following xenial.
Patch details
Package | Patch details |
---|---|
389-ds-base |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 · Medium |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |