CVE-2019-13057

NameCVE-2019-13057
DescriptionAn issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1891-1
NVD severitylow
Debian Bugs932997

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openldap (PTS)stretch2.4.44+dfsg-5+deb9u4fixed
stretch (security)2.4.44+dfsg-5+deb9u8fixed
buster, buster (security)2.4.47+dfsg-3+deb10u6fixed
bullseye2.4.57+dfsg-3fixed
bookworm, sid2.4.59+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openldapsourcejessie2.4.40+dfsg-1+deb8u5DLA-1891-1
openldapsourcestretch2.4.44+dfsg-5+deb9u3
openldapsourcebuster2.4.47+dfsg-3+deb10u1
openldapsource(unstable)2.4.48+dfsg-1low932997

Notes

https://openldap.org/its/?findid=9038

Search for package or bug name: Reporting problems