Description
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Remediation
References
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
https://github.com/SAP/cloud-security-services-integration-library/
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
https://me.sap.com/notes/3411067
https://me.sap.com/notes/3413475
https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Related Vulnerabilities
CVE-2023-24455 Vulnerability in maven package io.jenkins.plugins:visualexpert
CVE-2020-1698 Vulnerability in maven package org.keycloak:keycloak-authz-client
CVE-2020-9488 Vulnerability in maven package org.apache.logging.log4j:log4j-core
CVE-2022-29599 Vulnerability in maven package org.apache.maven.shared:maven-shared-utils
CVE-2022-34192 Vulnerability in maven package org.jenkins-ci.plugins:ontrack