Description

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Remediation

References

https://me.sap.com/notes/3411067

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

https://github.com/SAP/cloud-security-services-integration-library/

https://mvnrepository.com/artifact/com.sap.cloud.security/java-security

https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security

https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa

https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/

https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73

https://me.sap.com/notes/3413475

Related Vulnerabilities

CVE-2021-29943 Vulnerability in maven package org.apache.solr:solr-core

CVE-2019-10370 Vulnerability in maven package org.jenkins-ci.plugins:mask-passwords

CVE-2015-1796 Vulnerability in maven package org.opensaml:opensaml

CVE-2022-26594 Vulnerability in maven package com.liferay:com.liferay.dynamic.data.mapping.form.field.type

CVE-2023-49652 Vulnerability in maven package org.jenkins-ci.plugins:google-compute-engine

Severity

Critical

Classification

CWE-749 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Permissions Required Vendor Advisory Product