PT-2019-2907 · Openldap+3 · Openldap+3

Published

2019-07-26

·

Updated

2025-01-13

·

CVE-2019-13565

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:C/I:N/A:N
Name of the Vulnerable Software and Affected Versions OpenLDAP versions prior to 2.4.48
Description An issue in OpenLDAP allows access that would otherwise be denied via a simple bind for any identity covered in the ACLs when using SASL authentication and session encryption. After the first SASL bind is completed, the sasl ssf value is retained for all new non-SASL connections, affecting different types of operations depending on the ACL configuration. This means a successful authorization step completed by one user can affect the authorization requirement for a different user.
Recommendations For OpenLDAP versions prior to 2.4.48, update to version 2.4.48 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive operations until the update is applied.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

ALT-PU-2019-2556
ALT-PU-2019-2568
BDU:2019-02876
CVE-2019-13565
DLA-1891-1
MGASA-2019-0280
OPENSUSE-SU-2019:2157-1
OPENSUSE-SU-2019:2176-1
OPENSUSE-SU-2019_2157-1
OPENSUSE-SU-2019_2176-1
OPENSUSE-SU-2024:11121-1
ROSA-SA-2025-2550
SUSE-SU-2019:2390-1
SUSE-SU-2019:2395-1
SUSE-SU-2020:1210-1
SUSE-SU-2020:14353-1
USN-4078-1
USN-4078-2

Affected Products

Alt Linux
Openldap
Suse
Ubuntu