CVE-2019-13031

NameCVE-2019-13031
DescriptionLemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1844-1
NVD severitymedium (attack range: remote)
Debian Bugs931117

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lemonldap-ng (PTS)jessie1.3.3-1vulnerable
jessie (security)1.3.3-1+deb8u2fixed
stretch1.9.7-3+deb9u2fixed
stretch (security)1.9.7-3+deb9u1vulnerable
buster2.0.2+ds-7+deb10u1fixed
buster (security)2.0.2+ds-7+deb10u2fixed
bullseye, sid2.0.6+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lemonldap-ngsource(unstable)2.0.0+ds-1medium931117
lemonldap-ngsourcejessie1.3.3-1+deb8u2mediumDLA-1844-1
lemonldap-ngsourcestretch1.9.7-3+deb9u2medium

Notes

Upstream issue: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1820
Issue explained in: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1818
2.0.0 upstream replaced the (old) feature with a new REST/JSON service, and
added a "oldXMLFormat" option which is functionwise broken up to 2.0.5.
By default the notification server is not enabled and has a 'deny all' rule.

Search for package or bug name: Reporting problems