CVE-2019-13057

An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)

Published: 2019-07-26 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2019-13057 is rated Moderate Risk (43.6/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.58%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2019-13057

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-12-28 0.43% 0.58% +0.15%
2 2025-12-27 0.58% 0.43% -0.15%
3 2025-11-22 0.58%

Full EPSS history (21 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2019-13057

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.9 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 1.2 3.6 [email protected]
3.5 2.0 LOW
AV:N/AC:M/Au:S/C:P/I:N/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:S)
A single authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:N)
No availability impact.
 6.8 2.9 [email protected]

Weakness enumeration for CVE-2019-13057

OS Trackers for CVE-2019-13057

vendor priority summary link
alpine medium CVE-2019-13057: 1 source package rows (openldap); 20 state rows across 10 repos (3.10-main, 3.11-main, 3.12-main, 3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 10, open 10. https://security.alpinelinux.org/vuln/CVE-2019-13057
debian low CVE-2019-13057 low priority: Debian including 1 source packages (openldap), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2019-13057
redhat medium https://access.redhat.com/security/cve/CVE-2019-13057
suse medium CVE-2019-13057 severity moderate: SUSE including 505 source package names (0.1.0:libldap-2_4-2-2.4.46-9.19.2, 0.1.0:libldap-data-2.4.46-9.19.2, …), 668 product×package rows across 139 product lines (Container bci/dotnet-aspnet, Container bci/dotnet-runtime, … (139 product lines)): Fixed 492, Known Affected 157, Known Not Affected 19. https://www.suse.com/security/cve/CVE-2019-13057/
ubuntu low CVE-2019-13057 low priority: Ubuntu including 1 source packages (openldap), 5 status rows across 5 suites (bionic, disco, trusty, upstream, xenial): released 5. https://ubuntu.com/security/CVE-2019-13057

Affected software / configurations for CVE-2019-13057

Vendor Product Version Raw CPE
openldap openldap < 2.4.48 cpe:2.3:a:openldap:openldap:*:*:*:*:*:*:*:*
canonical ubuntu_linux 12.04 cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
canonical ubuntu_linux 14.04 cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
canonical ubuntu_linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 18.04 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 19.04 cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
debian debian_linux 8.0 cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
opensuse leap 15.0 cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
opensuse leap 15.1 cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
apple mac_os_x >= 10.13, < 10.13.6 cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
apple mac_os_x >= 10.14, < 10.14.6 cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
apple mac_os_x >= 10.15, < 10.15.2 cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
apple mac_os_x 10.13.6 cpe:2.3:o:apple:mac_os_x:10.13.6:-:*:*:*:*:*:*
apple mac_os_x 10.13.6 cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2018-002:*:*:*:*:*:*
apple mac_os_x 10.13.6 cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2018-003:*:*:*:*:*:*
apple mac_os_x 10.13.6 cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2019-001:*:*:*:*:*:*
apple mac_os_x 10.13.6 cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2019-002:*:*:*:*:*:*
apple mac_os_x 10.13.6 cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2019-003:*:*:*:*:*:*
apple mac_os_x 10.13.6 cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2019-004:*:*:*:*:*:*
apple mac_os_x 10.13.6 cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2019-005:*:*:*:*:*:*
apple mac_os_x 10.13.6 cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2019-006:*:*:*:*:*:*
apple mac_os_x 10.14.6 cpe:2.3:o:apple:mac_os_x:10.14.6:*:*:*:*:*:*:*
apple mac_os_x 10.14.6 cpe:2.3:o:apple:mac_os_x:10.14.6:-:*:*:*:*:*:*
apple mac_os_x 10.14.6 cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-001:*:*:*:*:*:*
mcafee policy_auditor < 6.5.1 cpe:2.3:a:mcafee:policy_auditor:*:*:*:*:*:*:*:*
mcafee policy_auditor 6.5.1 cpe:2.3:a:mcafee:policy_auditor:6.5.1:*:*:*:*:*:*:*
oracle blockchain_platform < 21.1.2 cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*
oracle zfs_storage_appliance_kit 8.8 cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
oracle solaris 11 cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*

References for CVE-2019-13057

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10365 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Dec/23 Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20190822-0004/ Third Party Advisory
https://support.apple.com/kb/HT210788 Third Party Advisory
https://usn.ubuntu.com/4078-1/ Third Party Advisory
https://usn.ubuntu.com/4078-2/ Third Party Advisory
https://www.openldap.org/its/?findid=9038 Mailing List Vendor Advisory
https://www.openldap.org/lists/openldap-announce/201907/msg00001.html Mailing List Product Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
cvelogic Threat Intelligence