Description
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Remediation
References
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
https://github.com/SAP/cloud-security-services-integration-library/
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
https://me.sap.com/notes/3411067
https://me.sap.com/notes/3413475
https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Related Vulnerabilities
CVE-2021-37580 Vulnerability in maven package org.apache.shenyu:shenyu-admin
CVE-2023-43497 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2020-11022 Vulnerability in maven package org.webjars.bower:jquery
CVE-2019-10327 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-maven-parent
CVE-2020-2109 Vulnerability in maven package org.jenkins-ci.plugins.workflow:workflow-cps