CVE-2019-13057

2019-07-2613:15:12

Google

osv.dev

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

Low

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

50.7%

JSON

An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)

CPENameOperatorVersion
openldapeqOPENLDAP_REL_ENG_2_4_2ALPHA
openldapeqOPENLDAP_REL_ENG_2_4_12
openldapeqOPENLDAP_REL_ENG_2_4_40
openldapeq2.4.19-r4
openldapeqLMDB_0.9.17
openldapeq2.4.31-r0
openldapeqOPENLDAP_REL_ENG_2_4_11
openldapeq2.4.35-r2
openldapeq2.4.21-r2
openldapeq2.4.32-r2

Name	Operator	Version
openldap	eq	OPENLDAP_REL_ENG_2_4_2ALPHA
openldap	eq	OPENLDAP_REL_ENG_2_4_12
openldap	eq	OPENLDAP_REL_ENG_2_4_40
openldap	eq	2.4.19-r4
openldap	eq	LMDB_0.9.17
openldap	eq	2.4.31-r0
openldap	eq	OPENLDAP_REL_ENG_2_4_11
openldap	eq	2.4.35-r2
openldap	eq	2.4.21-r2
openldap	eq	2.4.32-r2