GHSA-59c9-pxq8-9c73
Suggest an improvement- Source
- https://github.com/advisories/GHSA-59c9-pxq8-9c73
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-59c9-pxq8-9c73/GHSA-59c9-pxq8-9c73.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-59c9-pxq8-9c73
- Aliases
- Published
- 2023-12-13T13:33:57Z
- Modified
- 2024-09-30T20:09:01.026514Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Improper JWT Signature Validation in SAP Security Services Library
- Details
-
Impact
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Patches
Upgrade to patched version >= 2.17.0 or >= 3.3.0 We always recommend to upgrade to the latest released version.
Workarounds
No workarounds
References
https://www.cve.org/CVERecord?id=CVE-2023-50422
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-269" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-12-13T13:33:57Z" }- References
-
- https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
- https://nvd.nist.gov/vuln/detail/CVE-2023-50422
- https://github.com/SAP/cloud-security-services-integration-library/commit/4b3e42ab23df6418243b29908b1a2582818d9360
- https://github.com/SAP/cloud-security-services-integration-library/commit/7ce9601979c30ae269a1cbaf7cf33486d10736f1
- https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://github.com/SAP/cloud-security-services-integration-library
- https://me.sap.com/notes/3411067
- https://me.sap.com/notes/3413475
- https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
- https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
- https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Affected packages
Maven / com.sap.cloud.security:java-security
Package
- Name
- com.sap.cloud.security:java-security
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security/java-security
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.17.0
Affected versions
2.*
2.4.4
2.4.5
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.12
2.8.13
2.9.0
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.8
2.11.9
2.11.10
2.11.11
2.11.12
2.11.13
2.11.14
2.11.15
2.11.16
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.14.0
2.14.1
2.14.2
2.15.0
2.16.0
Maven / com.sap.cloud.security:java-security
Package
- Name
- com.sap.cloud.security:java-security
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security/java-security
Maven / com.sap.cloud.security:spring-security
Package
- Name
- com.sap.cloud.security:spring-security
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security/spring-security
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.17.0
Affected versions
0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.2.0
0.3.0
0.3.1
2.*
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.8
2.11.9
2.11.10
2.11.11
2.11.12
2.11.13
2.11.14
2.11.15
2.11.16
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.14.0
2.14.1
2.14.2
2.15.0
2.16.0
Maven / com.sap.cloud.security:spring-security
Package
- Name
- com.sap.cloud.security:spring-security
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security/spring-security
Maven / com.sap.cloud.security.xsuaa:spring-xsuaa
Package
- Name
- com.sap.cloud.security.xsuaa:spring-xsuaa
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security.xsuaa/spring-xsuaa
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.17.0
Affected versions
1.*
1.1.0.RC1
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.7.0
2.*
2.0.0
2.1.0
2.2.0
2.3.0
2.3.1
2.3.2
2.4.4
2.4.5
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.12
2.8.13
2.9.0
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.8
2.11.9
2.11.10
2.11.11
2.11.12
2.11.13
2.11.14
2.11.15
2.11.16
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.14.0
2.14.1
2.14.2
2.15.0
2.16.0
Maven / com.sap.cloud.security.xsuaa:spring-xsuaa
Package
- Name
- com.sap.cloud.security.xsuaa:spring-xsuaa
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security.xsuaa/spring-xsuaa