CVE-2023-50422

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/	Vendor Advisory
https://github.com/SAP/cloud-security-services-integration-library/	Product
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73	Vendor Advisory
https://me.sap.com/notes/3411067	Permissions Required
https://me.sap.com/notes/3413475
https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa	Product
https://mvnrepository.com/artifact/com.sap.cloud.security/java-security	Product
https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security	Product
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/	Vendor Advisory
https://github.com/SAP/cloud-security-services-integration-library/	Product
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73	Vendor Advisory
https://me.sap.com/notes/3411067	Permissions Required
https://me.sap.com/notes/3413475
https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa	Product
https://mvnrepository.com/artifact/com.sap.cloud.security/java-security	Product
https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security	Product
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:cloud-security-services-integration-library::::::java::*
	cpe:2.3:a:sap:cloud-security-services-integration-library::::::java::*

History

21 Nov 2024, 08:36

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 9.1
References	~~() https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/ - Vendor Advisory~~	() https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/ - Vendor Advisory
References	~~() https://github.com/SAP/cloud-security-services-integration-library/ - Product~~	() https://github.com/SAP/cloud-security-services-integration-library/ - Product
References	~~() https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73 - Vendor Advisory~~	() https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73 - Vendor Advisory
References	~~() https://me.sap.com/notes/3411067 - Permissions Required~~	() https://me.sap.com/notes/3411067 - Permissions Required
References	~~() https://me.sap.com/notes/3413475 -~~	() https://me.sap.com/notes/3413475 -
References	~~() https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa - Product~~	() https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa - Product
References	~~() https://mvnrepository.com/artifact/com.sap.cloud.security/java-security - Product~~	() https://mvnrepository.com/artifact/com.sap.cloud.security/java-security - Product
References	~~() https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security - Product~~	() https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security - Product
References	~~() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory~~	() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory

28 Sep 2024, 23:15

Type	Values Removed	Values Added
CWE	~~CWE-269~~	CWE-749
Summary	(en) SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.	(en) SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

15 Dec 2023, 16:53

Type	Values Removed	Values Added
CPE	cpe:2.3:a:sap:btp_security_services_integration_library::::::::	cpe:2.3:a:sap:cloud-security-services-integration-library::::::java::*

14 Dec 2023, 19:04

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:sap:btp_security_services_integration_library::::::::
References	~~() https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/ -~~	() https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/ - Vendor Advisory
References	~~() https://me.sap.com/notes/3411067 -~~	() https://me.sap.com/notes/3411067 - Permissions Required
References	~~() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html -~~	() https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
References	~~() https://github.com/SAP/cloud-security-services-integration-library/ -~~	() https://github.com/SAP/cloud-security-services-integration-library/ - Product
References	~~() https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security -~~	() https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security - Product
References	~~() https://mvnrepository.com/artifact/com.sap.cloud.security/java-security -~~	() https://mvnrepository.com/artifact/com.sap.cloud.security/java-security - Product
References	~~() https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa -~~	() https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa - Product
References	~~() https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73 -~~	() https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73 - Vendor Advisory

12 Dec 2023, 09:15

Type	Values Removed	Values Added
References		() https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/ - () https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73 -
CWE	~~CWE-639~~	CWE-269

12 Dec 2023, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-12 02:15

Updated : 2024-11-21 08:36

NVD link : CVE-2023-50422

Mitre link : CVE-2023-50422

CVE.ORG link : CVE-2023-50422

JSON object : View

Products Affected

sap

cloud-security-services-integration-library

CWE

CWE-749

Exposed Dangerous Method or Function

9.1 /10