CVE-2021-3652

CVE Database · CVE-2021-3652

CVE-2021-3652

· MEDIUMModified

CVSS v3.1

6.5

EPSS

1.36%

Published

Apr 18, 2022

Modified

Nov 3, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses (CWE)

CWE-287

Affected Products (1)

port389 · 389-ds-base (up to 2.0.7)vulnerable

References (7)

https://bugzilla.redhat.com/show_bug.cgi?id=1982782

Issue TrackingThird Party Advisory

https://github.com/389ds/389-ds-base/issues/4817

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html