CVE-2019-13565

Summary

CVE	CVE-2019-13565
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-07-26 13:15:00 UTC
Updated	2023-11-07 03:03:00 UTC
Description	An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.

Risk And Classification

Problem Types: NVD-CWE-noinfo

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Apple	Mac Os X	All	All	All	All
Operating System	Apple	Mac Os X	10.13.6	All	All	All
Operating System	Apple	Mac Os X	10.13.6	-	All	All
Operating System	Apple	Mac Os X	10.13.6	security_update_2018-002	All	All
Operating System	Apple	Mac Os X	10.13.6	security_update_2018-003	All	All
Operating System	Apple	Mac Os X	10.13.6	security_update_2019-001	All	All
Operating System	Apple	Mac Os X	10.13.6	security_update_2019-002	All	All
Operating System	Apple	Mac Os X	10.13.6	security_update_2019-003	All	All
Operating System	Apple	Mac Os X	10.13.6	security_update_2019-004	All	All
Operating System	Apple	Mac Os X	10.13.6	security_update_2019-005	All	All
Operating System	Apple	Mac Os X	10.13.6	security_update_2019-006	All	All
Operating System	Apple	Mac Os X	10.14.6	-	All	All
Operating System	Apple	Mac Os X	10.14.6	security_update_2019-001	All	All
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.04	All	All	All
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.04	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Application	F5	Traffix Signaling Delivery Controller	5.0.0	All	All	All
Application	F5	Traffix Signaling Delivery Controller	5.1.0	All	All	All
Application	Openldap	Openldap	All	All	All	All
Operating System	Opensuse	Leap	15.0	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Application	Oracle	Blockchain Platform	All	All	All	All
Operating System	Oracle	Solaris	11	All	All	All
Application	Oracle	Zfs Storage Appliance Kit	8.8	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!		lists.apache.org
Full Disclosure: APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra	FULLDISC	seclists.org
[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8		lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[security-announce] openSUSE-SU-2019:2157-1: moderate: Security update f	SUSE	lists.opensuse.org
About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra - Apple Support	CONFIRM	support.apple.com
USN-4078-2: OpenLDAP vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com	Third Party Advisory
[security-announce] openSUSE-SU-2019:2176-1: moderate: Security update f	SUSE	lists.opensuse.org
9052 – ACL protections get lost if same identity uses different SSF levels	MISC	www.openldap.org	Mailing List, Vendor Advisory
USN-4078-1: OpenLDAP vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8		lists.apache.org
OpenLDAP 2.4.48 available, LMDB 0.9.24 available	CONFIRM	www.openldap.org	Mailing List, Vendor Advisory
support.f5.com/csp/article/K98008862	CONFIRM	support.f5.com
myF5		support.f5.com
Oracle Critical Patch Update Advisory - April 2020	N/A	www.oracle.com
[SECURITY] [DLA 1891-1] openldap security update	MLIST	lists.debian.org	Third Party Advisory
Bugtraq: APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra	BUGTRAQ	seclists.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

354907 Amazon Linux Security Advisory for openldap : ALAS2-2023-2033
354925 Amazon Linux Security Advisory for openldap : ALAS-2023-1741
355082 Amazon Linux Security Advisory for openldap : AL2012-2023-407
500478 Alpine Linux Security Update for openldap
504236 Alpine Linux Security Update for openldap
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
671071 EulerOS Security Update for openldap (EulerOS-SA-2019-2358)