CVE-2021-3652 - log back

CVE-2021-3652 edited at 30 Jul 2021 14:06:27
Description
- In 389-ds-base before version 2.0.7, it was found that if an asterisk is imported as a password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This would allow an attacker to successfully authenticate as a user who's password was supposedly disabled.
+ In 389-ds-base before version 2.0.7, it was found that if an asterisk is imported as a password hash, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This would allow an attacker to successfully authenticate as a user who's password was supposedly disabled.
CVE-2021-3652 edited at 26 Jul 2021 21:11:58
Description
- In 389-ds-base, it was found that if an asterisk is imported as a password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This would allow an attacker to successfully authenticate as a user who's password was supposedly disabled.
+ In 389-ds-base before version 2.0.7, it was found that if an asterisk is imported as a password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This would allow an attacker to successfully authenticate as a user who's password was supposedly disabled.
CVE-2021-3652 edited at 22 Jul 2021 08:24:51
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Authentication bypass
Description
+ In 389-ds-base, it was found that if an asterisk is imported as a password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This would allow an attacker to successfully authenticate as a user who's password was supposedly disabled.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1982782
+ https://github.com/389ds/389-ds-base/issues/4817
+ https://github.com/389ds/389-ds-base/pull/4819
+ https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7
Notes
CVE-2021-3652 created at 22 Jul 2021 08:22:45