GHSA-gcgw-q47m-prvj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gcgw-q47m-prvj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-gcgw-q47m-prvj/GHSA-gcgw-q47m-prvj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gcgw-q47m-prvj
- Withdrawn
- 2024-09-30T18:52:44Z
- Published
- 2023-12-12T03:31:45Z
- Modified
- 2024-11-30T05:25:52.180799Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Duplicate Advisory: Improper JWT Signature Validation in SAP Security Services Library
- Details
-
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-59c9-pxq8-9c73. This link is maintained to preserve external references.
Original Description
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
- Database specific
{ "nvd_published_at": "2023-12-12T02:15:08Z", "cwe_ids": [ "CWE-269", "CWE-639", "CWE-749" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-12-15T03:53:07Z" }- References
-
- https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
- https://nvd.nist.gov/vuln/detail/CVE-2023-50422
- https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067
- https://github.com/SAP/cloud-security-services-integration-library
- https://me.sap.com/notes/3411067
- https://me.sap.com/notes/3413475
- https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
- https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
- https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Affected packages
Maven / com.sap.cloud.security:java-security
Package
- Name
- com.sap.cloud.security:java-security
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security/java-security
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.17.0
Affected versions
2.*
2.4.4
2.4.5
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.12
2.8.13
2.9.0
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.8
2.11.9
2.11.10
2.11.11
2.11.12
2.11.13
2.11.14
2.11.15
2.11.16
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.14.0
2.14.1
2.14.2
2.15.0
2.16.0
Maven / com.sap.cloud.security:java-security
Package
- Name
- com.sap.cloud.security:java-security
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security/java-security
Maven / com.sap.cloud.security.xsuaa:spring-xsuaa
Package
- Name
- com.sap.cloud.security.xsuaa:spring-xsuaa
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security.xsuaa/spring-xsuaa
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.17.0
Affected versions
1.*
1.1.0.RC1
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.7.0
2.*
2.0.0
2.1.0
2.2.0
2.3.0
2.3.1
2.3.2
2.4.4
2.4.5
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.12
2.8.13
2.9.0
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.8
2.11.9
2.11.10
2.11.11
2.11.12
2.11.13
2.11.14
2.11.15
2.11.16
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.14.0
2.14.1
2.14.2
2.15.0
2.16.0
Maven / com.sap.cloud.security.xsuaa:spring-xsuaa
Package
- Name
- com.sap.cloud.security.xsuaa:spring-xsuaa
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security.xsuaa/spring-xsuaa
Maven / com.sap.cloud.security:spring-security
Package
- Name
- com.sap.cloud.security:spring-security
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security/spring-security
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.17.0
Affected versions
0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.2.0
0.3.0
0.3.1
2.*
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.8
2.11.9
2.11.10
2.11.11
2.11.12
2.11.13
2.11.14
2.11.15
2.11.16
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.14.0
2.14.1
2.14.2
2.15.0
2.16.0
Maven / com.sap.cloud.security:spring-security
Package
- Name
- com.sap.cloud.security:spring-security
- View open source insights on deps.dev
- Purl
- pkg:maven/com.sap.cloud.security/spring-security