Alpine: libldap, multiple openldap packages: security update to 2.4.48-r0

high Tenable Cloud Security Plugin ID 424294

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates
rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-
tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity
from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common
configuration to deploy a system where the server administrator and a DB administrator enjoy different
levels of trust.) (CVE-2019-13057)

- An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session
encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain
access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the
first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending
on the ACL configuration, this can affect different types of operations (searches, modifications, etc.).
In other words, a successful authorization step completed by one user affects the authorization
requirement for a different user. (CVE-2019-13565)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-13057

https://security.alpinelinux.org/vuln/CVE-2019-13565

Plugin Details

Severity: High

ID: 424294

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2019-13565

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/26/2019

Reference Information

CVE: CVE-2019-13057, CVE-2019-13565