Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nY2d3LXE0N20tcHJ2as4AA3r5

Improper JWT Signature Validation in SAP Security Services Library

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Permalink: https://github.com/advisories/GHSA-gcgw-q47m-prvj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nY2d3LXE0N20tcHJ2as4AA3r5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 5 months ago
Updated: 4 months ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-gcgw-q47m-prvj, CVE-2023-50422
References:

Repository: https://github.com/SAP/cloud-security-services-integration-library
Blast Radius: 9.5

Affected Packages

maven:com.sap.cloud.security:spring-security

Dependent packages: 5
Dependent repositories: 3
Downloads:
Affected Version Ranges: >= 3.0.0, < 3.3.0, < 2.17.0
Fixed in: 3.3.0, 2.17.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.3.0, 0.3.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.11.13, 2.11.14, 2.11.15, 2.11.16, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.16.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
All unaffected versions: 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0

maven:com.sap.cloud.security.xsuaa:spring-xsuaa

Dependent packages: 9
Dependent repositories: 11
Downloads:
Affected Version Ranges: >= 3.0.0, < 3.3.0, < 2.17.0
Fixed in: 3.3.0, 2.17.0
All affected versions: 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.12, 2.8.13, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.11.13, 2.11.14, 2.11.15, 2.11.16, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.16.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
All unaffected versions: 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0

maven:com.sap.cloud.security:java-security

Dependent packages: 12
Dependent repositories: 6
Downloads:
Affected Version Ranges: >= 3.0.0, < 3.3.0, < 2.17.0
Fixed in: 3.3.0, 2.17.0
All affected versions: 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.12, 2.8.13, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.11.13, 2.11.14, 2.11.15, 2.11.16, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.16.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
All unaffected versions: 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0