It was found that invalid password hashes were not correctly handled by 389-ds-base. Asterisks, '*', is a method that can be used in NIS database, or /etc/shadow, to disable an account's password. As a result of the flaw, if an LDAP admin imports such an account from a NIS or /etc/shadow database into Directory Server, any password will be valid for that account. Reference : https://github.com/389ds/389-ds-base/issues/4817
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1982786]
Upstream fix : https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3079 https://access.redhat.com/errata/RHSA-2021:3079
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3652
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3807 https://access.redhat.com/errata/RHSA-2021:3807
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3906 https://access.redhat.com/errata/RHSA-2021:3906
This issue has been addressed in the following products: Red Hat Directory Server 11.4 for RHEL 8 Via RHSA-2021:3955 https://access.redhat.com/errata/RHSA-2021:3955