Vulnerability DatabaseCVE-2023-50422
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-50422
December 12, 2023
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Affected Packages
com.sap.cloud.security:java-security (JAVA):
Affected version(s) >=2.4.4 <2.17.0
Fix Suggestion:
Update to version 2.17.0
com.sap.cloud.security:spring-security (JAVA):
Affected version(s) >=0.1.0 <2.17.0
Fix Suggestion:
Update to version 2.17.0
com.sap.cloud.security.xsuaa:spring-xsuaa (JAVA):
Affected version(s) >=3.0.0 <3.3.0
Fix Suggestion:
Update to version 3.3.0
com.sap.cloud.security.xsuaa:spring-xsuaa (JAVA):
Affected version(s) >=1.1.0.RC1 <2.17.0
Fix Suggestion:
Update to version 2.17.0
com.sap.cloud.security:spring-security (JAVA):
Affected version(s) >=3.0.0 <3.3.0
Fix Suggestion:
Update to version 3.3.0
com.sap.cloud.security:java-security (JAVA):
Affected version(s) >=3.0.0 <3.3.0
Fix Suggestion:
Update to version 3.3.0
Related Resources (15)
https://github.com/SAP/cloud-security-services-integration-library/commit/4b3e42ab23df6418243b29908b1a2582818d9360
https://github.com/SAP/cloud-security-services-integration-library
https://github.com/SAP/cloud-security-services-integration-library/commit/7ce9601979c30ae269a1cbaf7cf33486d10736f1
https://github.com/SAP/cloud-security-services-integration-library/
https://me.sap.com/notes/3413475
https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067
https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
https://nvd.nist.gov/vuln/detail/CVE-2023-50422
https://en.wikipedia.org/wiki/JSON_Web_Token
https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
https://me.sap.com/notes/3411067
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Exposed Dangerous Method or Function
CWE-749
Improper Privilege Management
CWE-269
EPSS
Base Score:
0.54