First published: Tue Dec 12 2023(Updated: )
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-59c9-pxq8-9c73. This link is maintained to preserve external references. ## Original Description SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Credit: cna@sap.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/com.sap.cloud.security:spring-security | >=3.0.0<3.3.0 | 3.3.0 |
maven/com.sap.cloud.security:spring-security | <2.17.0 | 2.17.0 |
maven/com.sap.cloud.security.xsuaa:spring-xsuaa | >=3.0.0<3.3.0 | 3.3.0 |
maven/com.sap.cloud.security.xsuaa:spring-xsuaa | <2.17.0 | 2.17.0 |
maven/com.sap.cloud.security:java-security | >=3.0.0<3.3.0 | 3.3.0 |
maven/com.sap.cloud.security:java-security | <2.17.0 | 2.17.0 |
SAP Cloud Security Services Integration Library | <2.17.0 | |
SAP Cloud Security Services Integration Library | >=3.0.0<3.3.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-50422 has not been assigned a specific severity score as it is a duplicate advisory.
To resolve CVE-2023-50422, update to version 2.17.0 or later, or to version 3.3.0 of the SAP Cloud Security Services Integration Library.
CVE-2023-50422 affects the SAP Cloud Security Services Integration Library in versions prior to 2.17.0 and between 3.0.0 and 3.3.0.
CVE-2023-50422 itself does not have a critical designation as it is a duplicate advisory.
If you cannot update, evaluate the risk and implement compensating controls to mitigate exposure associated with CVE-2023-50422.