Your submission was sent successfully! Close

CVE-2021-3652

Published: 18 April 2022

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
389-ds-base
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(1.3.7.10-1ubuntu1)
focal Not vulnerable
(1.3.7.10-1ubuntu1)
hirsute Not vulnerable
(1.3.7.10-1ubuntu1)
impish Not vulnerable
(1.3.7.10-1ubuntu1)
jammy Not vulnerable
(1.3.7.10-1ubuntu1)
trusty Does not exist
(trusty was not-affected [code not present])
upstream
Released (1.3.7.9-1, 1.4.2.18, 1.4.3.25, 1.4.4.17, 2.0.7)
xenial Not vulnerable
(code not present)

Notes

AuthorNote
ccdm94
this CVE is very similar to CVE-2017-15135. The patch for
CVE-2017-15135 seems to fix this issue. CVE-2017-15135
was introduced in a patch for CVE-2016-5405, not applied
in trusty and xenial. The patch for CVE-2017-15135 is
included in the package for releases following xenial.

References

Bugs