6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
38.5%
Severity: Medium
Date : 2021-07-27
CVE-ID : CVE-2021-3514 CVE-2021-3652
Package : 389-ds-base
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2206
The package 389-ds-base before version 2.0.7-1 is vulnerable to
multiple issues including authentication bypass and denial of service.
Upgrade to 2.0.7-1.
The problems have been fixed upstream in version 2.0.7.
None.
A security issue was found in 389-ds-base before version 2.0.5. When
using a sync_repl client, an authenticated attacker can cause a NULL
pointer dereference using a specially crafted query, causing a crash of
389-ds-base.
In 389-ds-base before version 2.0.7, it was found that if an asterisk
is imported as a password hash, either accidentally or maliciously,
then instead of being inactive, any password will successfully match
during authentication. This would allow an attacker to successfully
authenticate as a user who’s password was supposedly disabled.
An attacker could successfully authenticate as a user who’s password
was supposedly disabled. Furthermore, an authenticated attacker could
crash the 389-ds-base server.
https://bugzilla.redhat.com/show_bug.cgi?id=1952907
https://github.com/389ds/389-ds-base/issues/4711
https://github.com/389ds/389-ds-base/pull/4738
https://github.com/389ds/389-ds-base/commit/d7eef2fcfbab2ef8aa6ee0bf60f0a9b16ede66e0
https://bugzilla.redhat.com/show_bug.cgi?id=1982782
https://github.com/389ds/389-ds-base/issues/4817
https://github.com/389ds/389-ds-base/pull/4819
https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7
https://security.archlinux.org/CVE-2021-3514
https://security.archlinux.org/CVE-2021-3652
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | 389-ds-base | < 2.0.7-1 | UNKNOWN |
bugzilla.redhat.com/show_bug.cgi?id=1952907
bugzilla.redhat.com/show_bug.cgi?id=1982782
github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7
github.com/389ds/389-ds-base/commit/d7eef2fcfbab2ef8aa6ee0bf60f0a9b16ede66e0
github.com/389ds/389-ds-base/issues/4711
github.com/389ds/389-ds-base/issues/4817
github.com/389ds/389-ds-base/pull/4738
github.com/389ds/389-ds-base/pull/4819
security.archlinux.org/AVG-2206
security.archlinux.org/CVE-2021-3514
security.archlinux.org/CVE-2021-3652
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
38.5%