CVE-2019-13031

Name	CVE-2019-13031
Description	LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DLA-1844-1
NVD severity	medium
Debian Bugs	931117

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
lemonldap-ng (PTS)	stretch	1.9.7-3+deb9u2	fixed
	stretch (security)	1.9.7-3+deb9u4	fixed
	buster, buster (security)	2.0.2+ds-7+deb10u5	fixed
	bullseye, sid	2.0.11+ds-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
lemonldap-ng	source	jessie	1.3.3-1+deb8u2	DLA-1844-1
lemonldap-ng	source	stretch	1.9.7-3+deb9u2
lemonldap-ng	source	(unstable)	2.0.0+ds-1		931117

Notes

Upstream issue: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1820
Issue explained in: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1818
2.0.0 upstream replaced the (old) feature with a new REST/JSON service, and
added a "oldXMLFormat" option which is functionwise broken up to 2.0.5.
By default the notification server is not enabled and has a 'deny all' rule.