Description
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Remediation
References
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
https://github.com/SAP/cloud-security-services-integration-library/
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
https://me.sap.com/notes/3411067
https://me.sap.com/notes/3413475
https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Related Vulnerabilities
CVE-2023-27987 Vulnerability in maven package org.apache.linkis:linkis-dist
CVE-2013-4322 Vulnerability in maven package tomcat:tomcat-coyote
CVE-2023-30519 Vulnerability in maven package org.jenkins-ci.plugins:quayio-trigger
CVE-2012-4386 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2021-4040 Vulnerability in maven package org.apache.activemq:artemis-core-client