Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Nov 3, 2025

CVE-2021-3652

Description

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.

Affected products

389-ds-base/389-ds-basedescription
osv-coords14 versions
pkg:rpm/opensuse/389-ds&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/389-ds&distro=openSUSE%20Leap%2015.3 pkg:rpm/suse/389-ds&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2 pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3 pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/389-ds&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1
< 1.4.3.24~git13.7b705e743-lp152.2.18.1+ 13 more
- (no CPE)range: < 1.4.3.24~git13.7b705e743-lp152.2.18.1
- (no CPE)range: < 1.4.4.16~git16.c1926dfc6-3.4.1
- (no CPE)range: < 1.4.2.16~git68.efa843752-150100.7.34.1
- (no CPE)range: < 1.4.2.16~git68.efa843752-150100.7.34.1
- (no CPE)range: < 1.4.2.16~git68.efa843752-150100.7.34.1
- (no CPE)range: < 1.4.0.31~git15.8b9843b0b-150000.4.27.1
- (no CPE)range: < 1.4.0.31~git15.8b9843b0b-150000.4.27.1
- (no CPE)range: < 1.4.3.24~git13.7b705e743-3.19.1
- (no CPE)range: < 1.4.4.16~git16.c1926dfc6-3.4.1
- (no CPE)range: < 1.4.2.16~git68.efa843752-150100.7.34.1
- (no CPE)range: < 1.4.2.16~git68.efa843752-150100.7.34.1
- (no CPE)range: < 1.4.0.31~git15.8b9843b0b-150000.4.27.1
- (no CPE)range: < 1.4.0.31~git15.8b9843b0b-150000.4.27.1
- (no CPE)range: < 1.4.2.16~git68.efa843752-150100.7.34.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.debian.org/debian-lts-announce/2023/04/msg00026.htmlmitremailing-list
bugzilla.redhat.com/show_bug.cgimitre
github.com/389ds/389-ds-base/issues/4817mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000