Description
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Remediation
References
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
https://github.com/SAP/cloud-security-services-integration-library/
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
https://me.sap.com/notes/3411067
https://me.sap.com/notes/3413475
https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Related Vulnerabilities
CVE-2020-6463 Vulnerability in maven package org.webjars.npm:electron
CVE-2019-10083 Vulnerability in maven package org.apache.nifi:nifi-framework
CVE-2014-0035 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security
CVE-2019-16572 Vulnerability in maven package org.jenkins-ci.plugins:weibo
CVE-2022-28158 Vulnerability in maven package com.surenpi.jenkins:phoenix-autotest