Description
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Remediation
References
https://me.sap.com/notes/3411067
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
https://github.com/SAP/cloud-security-services-integration-library/
https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
https://me.sap.com/notes/3413475
Related Vulnerabilities
CVE-2023-37478 Vulnerability in npm package @pnpm/linux-arm64
CVE-2021-32620 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2020-9482 Vulnerability in maven package org.apache.nifi.registry:nifi-registry-core
CVE-2021-3827 Vulnerability in maven package org.keycloak:keycloak-server-spi-private
CVE-2022-45935 Vulnerability in maven package org.apache.james:james-server-core