A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| 389_directory_server | Redhat | 1.4.0.0 (including) | 1.4.0.0 (including) |
| Red Hat Enterprise Linux 7 | RedHat | 389-ds-base-0:1.3.10.2-16.el7_9 | * |
| Red Hat Enterprise Linux 8 | RedHat | 389-ds:1.4-8060020220519123000.824efc52 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support | RedHat | 389-ds:1.4-8040020220615161601.96015a92 | * |
| Red Hat Enterprise Linux 9 | RedHat | 389-ds-base-0:2.1.3-4.el9_1 | * |
| Red Hat Enterprise Linux 9.0 Extended Update Support | RedHat | 389-ds-base-0:2.0.14-3.el9_0 | * |
| 389-ds-base | Ubuntu | bionic | * |
| 389-ds-base | Ubuntu | focal | * |
| 389-ds-base | Ubuntu | impish | * |
| 389-ds-base | Ubuntu | kinetic | * |
| 389-ds-base | Ubuntu | lunar | * |
| 389-ds-base | Ubuntu | mantic | * |
| 389-ds-base | Ubuntu | oracular | * |
| 389-ds-base | Ubuntu | plucky | * |
| 389-ds-base | Ubuntu | trusty | * |
| 389-ds-base | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2064769
- https://github.com/ByteHackr/389-ds-base
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QFD7CBBX3IZOSHEWL2EYKRLOEQSXCZ6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYT2IQJFHQWZENJJRY6EJB3XIFZGNT7F/
- https://bugzilla.redhat.com/show_bug.cgi?id=2064769
- https://github.com/ByteHackr/389-ds-base
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QFD7CBBX3IZOSHEWL2EYKRLOEQSXCZ6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PYT2IQJFHQWZENJJRY6EJB3XIFZGNT7F/