CVE-2019-13057

NameCVE-2019-13057
DescriptionAn issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1891-1, ELA-169-1
Debian Bugs932997

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openldap (PTS)jessie, jessie (lts)2.4.40+dfsg-1+deb8u11fixed
stretch (security), stretch (lts), stretch2.4.44+dfsg-5+deb9u9fixed
buster (security), buster, buster (lts)2.4.47+dfsg-3+deb10u7fixed
bullseye (security), bullseye2.4.57+dfsg-3+deb11u1fixed
bookworm2.5.13+dfsg-5fixed
sid, trixie2.5.18+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openldapsourcewheezy2.4.31-2+deb7u4ELA-169-1
openldapsourcejessie2.4.40+dfsg-1+deb8u5DLA-1891-1
openldapsourcestretch2.4.44+dfsg-5+deb9u3
openldapsourcebuster2.4.47+dfsg-3+deb10u1
openldapsource(unstable)2.4.48+dfsg-1low932997

Notes

https://openldap.org/its/?findid=9038
[wheezy] - openldap <no-dsa> (Minor issue)
Search for package or bug name: Reporting problems