CVE-2023-50422: Escalation of Privileges in SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library)
First published: Tue Dec 12 2023(Updated: )
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-59c9-pxq8-9c73. This link is maintained to preserve external references. ## Original Description SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Credit: cna@sap.com cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <2.17.0 | ||
| >=3.0.0<3.3.0 | ||
| Sap Cloud-security-services-integration-library | <2.17.0 | |
| Sap Cloud-security-services-integration-library | >=3.0.0<3.3.0 | |
| maven/com.sap.cloud.security:spring-security | >=3.0.0<3.3.0 | 3.3.0 |
| maven/com.sap.cloud.security:spring-security | <2.17.0 | 2.17.0 |
| maven/com.sap.cloud.security.xsuaa:spring-xsuaa | >=3.0.0<3.3.0 | 3.3.0 |
| maven/com.sap.cloud.security.xsuaa:spring-xsuaa | <2.17.0 | 2.17.0 |
| maven/com.sap.cloud.security:java-security | >=3.0.0<3.3.0 | 3.3.0 |
| maven/com.sap.cloud.security:java-security | <2.17.0 | 2.17.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-50422
- https://github.com/SAP/cloud-security-services-integration-library/
- https://me.sap.com/notes/3411067
- https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
- https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
- https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
- https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
- https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
- https://github.com/advisories/GHSA-gcgw-q47m-prvj (Advisory)
- https://www.theregister.com/2024/01/09/january_patch_tuesday/
- https://me.sap.com/notes/3413475
- https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067
- https://github.com/SAP/cloud-security-services-integration-library
- https://github.com/SAP/cloud-security-services-integration-library/commit/4b3e42ab23df6418243b29908b1a2582818d9360
- https://github.com/SAP/cloud-security-services-integration-library/commit/7ce9601979c30ae269a1cbaf7cf33486d10736f1
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://github.com/advisories/GHSA-59c9-pxq8-9c73 (Advisory)
- agent/type
- agent/first-publish-date
- agent/author
- agent/softwarecombine
- agent/title
- agent/severity
- collector/the-register
- source/The Register
- alias/CVE-2024-20674
- alias/CVE-2024-20700
- alias/CVE-2023-49583
- alias/CVE-2023-50422
- alias/CVE-2023-20193
- alias/CVE-2023-20194
- collector/mitre-cve
- source/MITRE
- agent/weakness
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gcgw-q47m-prvj
- agent/event
- collector/nvd-cve
- alias/GHSA-59c9-pxq8-9c73
- agent/last-modified-date
- agent/references
- collector/github-advisory
- agent/tags
- agent/description
- agent/trending
- vendor/sap
- canonical/sap cloud-security-services-integration-library
- version/sap cloud-security-services-integration-library/3.0.0
- package-manager/maven