Description

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Remediation

References

https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/

https://github.com/SAP/cloud-security-services-integration-library/

https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73

https://me.sap.com/notes/3411067

https://me.sap.com/notes/3413475

https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa

https://mvnrepository.com/artifact/com.sap.cloud.security/java-security

https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Related Vulnerabilities

CVE-2023-24998 Vulnerability in maven package org.apache.tomcat:tomcat-util

CVE-2023-46998 Vulnerability in maven package org.webjars.bower:bootbox

CVE-2022-34208 Vulnerability in maven package org.jenkins-ci.plugins:beaker-builder

CVE-2016-1000031 Vulnerability in maven package commons-fileupload:commons-fileupload

CVE-2022-23712 Vulnerability in maven package org.elasticsearch:elasticsearch

Severity

Critical

Classification

CWE-749 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Product Permissions Required