Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2023-50422 Vulnerability in maven package com.sap.cloud.security.xsuaa:spring-xsuaa

Description

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Remediation

References

https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/

https://github.com/SAP/cloud-security-services-integration-library/

https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73

https://me.sap.com/notes/3411067

https://me.sap.com/notes/3413475

https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa

https://mvnrepository.com/artifact/com.sap.cloud.security/java-security

https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Related Vulnerabilities

CVE-2018-17194 Vulnerability in maven package org.apache.nif:nifi-framework-cluster

CVE-2022-45875 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-alert-plugins

CVE-2020-16040 Vulnerability in maven package org.webjars.npm:electron

CVE-2023-39156 Vulnerability in maven package org.jenkins-ci.plugins:bazaar

CVE-2016-4974 Vulnerability in maven package org.apache.qpid:qpid-jms-client

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Product Permissions Required NVD-CWE-noinfo