CVE-2023-50422

critical

Description

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

References

Advisories
More

https://me.sap.com/notes/3411067

https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security

https://mvnrepository.com/artifact/com.sap.cloud.security/java-security

https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa

https://me.sap.com/notes/3413475

https://github.com/SAP/cloud-security-services-integration-library/

https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/

Details

Source: Mitre, NVD

Published: 2023-12-12

Updated: 2024-09-28

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Severity: Critical

EPSS

EPSS: 0.01716