CVE-2021-3652
389-ds-base - security update
6.5
MEDIUM
CVSS 3.1
EPSS 0.12%
Description
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
How to fix CVE-2021-3652
To remediate CVE-2021-3652, upgrade the affected package to a fixed version below.
- —upgrade to 1.4.4.11-2+deb11u1 or later
- —upgrade to 1.4.4.11-2+deb11u1 or later
Is CVE-2021-3652 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.4.4.11-2+deb11u1
- from 0, < 1.4.4.11-2+deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |