CVE-2019-13057

MEDIUM

OpenLDAP <2.4.48 - Privilege Escalation

Title source: llm

Description

An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)

References (14)

Core 14

Core References

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4078-1/

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4078-2/

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/Dec/23

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/Dec/26

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2020.html

Third Party Advisory x_refsource_confirm

https://support.apple.com/kb/HT210788

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Third Party Advisory x_refsource_confirm

https://kc.mcafee.com/corporate/index?page=content&id=SB10365

Mailing List, Vendor Advisory x_refsource_misc

https://www.openldap.org/its/?findid=9038

Mailing List, Product, Vendor Advisory x_refsource_confirm

https://www.openldap.org/lists/openldap-announce/201907/msg00001.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20190822-0004/

Scores

CVSS v3 4.9

EPSS 0.0057

EPSS Percentile 68.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

Status published

Products (17)

apple/mac_os_x 10.13.6 (9 CPE variants)

apple/mac_os_x 10.14.6 (3 CPE variants)

apple/mac_os_x 10.13 - 10.13.6

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 19.04

debian/debian_linux 8.0

mcafee/policy_auditor 6.5.1

... and 7 more

Published Jul 26, 2019

Tracked Since Feb 18, 2026