Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nY2d3LXE0N20tcHJ2as4AA3r5
Improper JWT Signature Validation in SAP Security Services Library
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Permalink: https://github.com/advisories/GHSA-gcgw-q47m-prvjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nY2d3LXE0N20tcHJ2as4AA3r5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 5 months ago
Updated: 4 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-gcgw-q47m-prvj, CVE-2023-50422
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-50422
- https://github.com/SAP/cloud-security-services-integration-library/
- https://me.sap.com/notes/3411067
- https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
- https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
- https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
- https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
- https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
- https://me.sap.com/notes/3413475
- https://github.com/advisories/GHSA-gcgw-q47m-prvj
Blast Radius: 9.5
Affected Packages
maven:com.sap.cloud.security:spring-security
Dependent packages: 5Dependent repositories: 3
Downloads:
Affected Version Ranges: >= 3.0.0, < 3.3.0, < 2.17.0
Fixed in: 3.3.0, 2.17.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.3.0, 0.3.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.11.13, 2.11.14, 2.11.15, 2.11.16, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.16.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
All unaffected versions: 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0
maven:com.sap.cloud.security.xsuaa:spring-xsuaa
Dependent packages: 9Dependent repositories: 11
Downloads:
Affected Version Ranges: >= 3.0.0, < 3.3.0, < 2.17.0
Fixed in: 3.3.0, 2.17.0
All affected versions: 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.12, 2.8.13, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.11.13, 2.11.14, 2.11.15, 2.11.16, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.16.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
All unaffected versions: 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0
maven:com.sap.cloud.security:java-security
Dependent packages: 12Dependent repositories: 6
Downloads:
Affected Version Ranges: >= 3.0.0, < 3.3.0, < 2.17.0
Fixed in: 3.3.0, 2.17.0
All affected versions: 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.12, 2.8.13, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.11.13, 2.11.14, 2.11.15, 2.11.16, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.16.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
All unaffected versions: 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0