Description
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Remediation
References
https://me.sap.com/notes/3411067
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
https://github.com/SAP/cloud-security-services-integration-library/
https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
https://me.sap.com/notes/3413475
Related Vulnerabilities
CVE-2017-12621 Vulnerability in maven package commons-jelly:commons-jelly
CVE-2023-46729 Vulnerability in npm package @sentry/nextjs
CVE-2015-8859 Vulnerability in maven package org.webjars.npm:send
CVE-2018-1000176 Vulnerability in maven package org.jenkins-ci.plugins:email-ext
CVE-2014-3655 Vulnerability in maven package org.keycloak:keycloak-services