CVE-2019-13057
moderate-risk
Published 2019-07-26
An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
Do I need to act?
-
0.58% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
References (28)
Mailing List
http://seclists.org/fulldisclosure/2019/Dec/26
Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10365
Mailing List
https://seclists.org/bugtraq/2019/Dec/23
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190822-0004/
Third Party Advisory
https://support.apple.com/kb/HT210788
Third Party Advisory
https://usn.ubuntu.com/4078-1/
Third Party Advisory
https://usn.ubuntu.com/4078-2/
Mailing List
https://www.openldap.org/its/?findid=9038
Mailing List
http://seclists.org/fulldisclosure/2019/Dec/26
Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10365
Mailing List
https://seclists.org/bugtraq/2019/Dec/23
and 8 more references
44
/ 100
moderate-risk
Severity
20/34 · Moderate
Exploitability
2/34 · Minimal
Exposure
22/34 · High