6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
38.5%
A flaw was found in 389-ds-base. If an asterisk is imported as password
hashes, either accidentally or maliciously, then instead of being inactive,
any password will successfully match during authentication. This flaw
allows an attacker to successfully authenticate as a user whose password
was disabled.
Author | Note |
---|---|
ccdm94 | this CVE is very similar to CVE-2017-15135. The patch for CVE-2017-15135 seems to fix this issue. CVE-2017-15135 was introduced in a patch for CVE-2016-5405, not applied in trusty and xenial. The patch for CVE-2017-15135 is included in the package for releases following xenial. |
github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7 (master)
github.com/389ds/389-ds-base/commit/c1926dfc6591b55c4d33f9944de4d7ebe077e964 (1.4.4.x)
github.com/389ds/389-ds-base/issues/4817
launchpad.net/bugs/cve/CVE-2021-3652
nvd.nist.gov/vuln/detail/CVE-2021-3652
security-tracker.debian.org/tracker/CVE-2021-3652
www.cve.org/CVERecord?id=CVE-2021-3652
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
38.5%