7.5

CVE-2019-13565

EPSS 5.75%
Published 26.07.2019 13:15:12
Last modified 21.11.2024 04:25:11
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.

Affected products Warnungen 0 Metrics 3 CWE 0 References 19

Data is provided by the National Vulnerability Database (NVD)

Openldap ≫ Openldap Version >= 2.0 <= 2.4.47

Canonical ≫ Ubuntu Linux Version12.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version14.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04

Canonical ≫ Ubuntu Linux Version19.04

Debian ≫ Debian Linux Version8.0

Opensuse ≫ Leap Version15.0

Opensuse ≫ Leap Version15.1

F5 ≫ Traffix Signaling Delivery Controller Version5.0.0

F5 ≫ Traffix Signaling Delivery Controller Version5.1.0

Apple ≫ macOS X Version >= 10.13 < 10.13.6

Apple ≫ macOS X Version >= 10.14 < 10.14.6

Apple ≫ macOS X Version >= 10.15 < 10.15.2

Apple ≫ macOS X Version10.13.6

Apple ≫ macOS X Version10.13.6 Update-

Apple ≫ macOS X Version10.13.6 Updatesecurity_update_2018-002

Apple ≫ macOS X Version10.13.6 Updatesecurity_update_2018-003

Apple ≫ macOS X Version10.13.6 Updatesecurity_update_2019-001

Apple ≫ macOS X Version10.13.6 Updatesecurity_update_2019-002

Apple ≫ macOS X Version10.13.6 Updatesecurity_update_2019-003

Apple ≫ macOS X Version10.13.6 Updatesecurity_update_2019-004

Apple ≫ macOS X Version10.13.6 Updatesecurity_update_2019-005

Apple ≫ macOS X Version10.13.6 Updatesecurity_update_2019-006

Apple ≫ macOS X Version10.14.6 Update-

Apple ≫ macOS X Version10.14.6 Updatesecurity_update_2019-001

Oracle ≫ Blockchain Platform Version < 21.1.2

Oracle ≫ Zfs Storage Appliance Kit Version8.8

Oracle ≫ Solaris Version11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	5.75%	0.901

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

http://seclists.org/fulldisclosure/2019/Dec/26

Third Party Advisory

Mailing List

https://seclists.org/bugtraq/2019/Dec/23

Third Party Advisory

Mailing List

https://support.apple.com/kb/HT210788

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html

Third Party Advisory

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html

Third Party Advisory

Mailing List

https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html

Third Party Advisory

Mailing List

https://usn.ubuntu.com/4078-1/

Third Party Advisory

https://usn.ubuntu.com/4078-2/

Third Party Advisory

https://www.openldap.org/lists/openldap-announce/201907/msg00001.html

Vendor Advisory

Mailing List

https://support.f5.com/csp/article/K98008862?utm_source=f5support&amp%3Butm_medium=RSS

https://www.openldap.org/its/index.cgi/?findid=9052

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2019-13565

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-13565

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-13565

EUVD