In 389-ds-base, it was found that if an asterisk is imported as a password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This would allow an attacker to successfully authenticate as a user who's password was supposedly disabled.
In 389-ds-base, it was found that if an asterisk is imported as a password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This would allow an attacker to successfully authenticate as a user who's password was supposedly disabled.
https://bugzilla.redhat.com/show_bug.cgi?id=1982782 https://github.com/389ds/389-ds-base/issues/4817 https://github.com/389ds/389-ds-base/pull/4819 https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7