CVE-2019-13057

NameCVE-2019-13057
DescriptionAn issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1891-1
NVD severitylow (attack range: remote)
Debian Bugs932997

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openldap (PTS)jessie2.4.40+dfsg-1+deb8u4vulnerable
jessie (security)2.4.40+dfsg-1+deb8u5fixed
stretch2.4.44+dfsg-5+deb9u2vulnerable
buster2.4.47+dfsg-3vulnerable
bullseye, sid2.4.48+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openldapsource(unstable)2.4.48+dfsg-1low932997
openldapsourcejessie2.4.40+dfsg-1+deb8u5lowDLA-1891-1

Notes

[buster] - openldap <no-dsa> (Minor issue)
[stretch] - openldap <no-dsa> (Minor issue)
https://openldap.org/its/?findid=9038

Search for package or bug name: Reporting problems