CVE-2019-13057

An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)

Published: Jul 26, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-13057
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.9
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
openldap / openldap	-	2.4.48
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	19.04	19.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	12.04	12.04.x
debian / debian_linux	8.0	8.0.x
opensuse / leap	15.0	15.0.x
opensuse / leap	15.1	15.1.x
apple / mac_os_x	10.14	10.14.6
apple / mac_os_x	10.14.6	10.14.6.x
apple / mac_os_x	10.13.6-security_update_2018-003	10.13.6-security_update_2018-003.x
apple / mac_os_x	10.13.6-security_update_2018-002	10.13.6-security_update_2018-002.x
apple / mac_os_x	10.13.6-security_update_2019-003	10.13.6-security_update_2019-003.x
apple / mac_os_x	10.13.6-security_update_2019-002	10.13.6-security_update_2019-002.x
apple / mac_os_x	10.13.6-security_update_2019-001	10.13.6-security_update_2019-001.x
apple / mac_os_x	10.13.6-security_update_2019-006	10.13.6-security_update_2019-006.x
apple / mac_os_x	10.13.6-security_update_2019-005	10.13.6-security_update_2019-005.x
apple / mac_os_x	10.13.6-security_update_2019-004	10.13.6-security_update_2019-004.x
apple / mac_os_x	10.13.6	10.13.6.x
apple / mac_os_x	10.14.6-security_update_2019-001	10.14.6-security_update_2019-001.x
apple / mac_os_x	10.13	10.13.6
apple / mac_os_x	10.15	10.15.2
mcafee / policy_auditor	-	6.5.1
mcafee / policy_auditor	6.5.1	6.5.1.x
oracle / solaris	11	11.x
oracle / zfs_storage_appliance_kit	8.8	8.8.x
oracle / blockchain_platform	-	21.1.2

Vulnerability Database

309,084

CVE-2019-13057

Deep Security Visibility Without the Complexity