CVE-2021-3652
If an asterisk is imported as password hashes, either accidentally
or maliciously, then instead of being inactive, any password will
successfully match during authentication. This flaw allows an attacker
to successfully authenticate as a user whose password was disabled.
CVE-2021-4091
A double-free was found in the way 389-ds-base handles virtual
attributes context in persistent searches. An attacker could send a
series of search requests, forcing the server to behave unexpectedly,
and crash.
CVE-2022-0918
A vulnerability allows an unauthenticated attacker with network
access to the LDAP port to cause a denial of service. The denial of
service is triggered by a single message sent over a TCP connection,
no bind or other authentication is required. The message triggers
a segmentation fault that results in slapd crashing.
CVE-2022-0996
A vulnerability allows expired passwords to access the database to
cause improper authentication.
Get the latest Linux and open source security news straight to your inbox.