Lucene search

[email protected]CVE-2023-49583

HistoryDec 12, 2023 - 2:15 a.m.

CVE-2023-49583

2023-12-1202:15:07

CWE-269

[email protected]

web.nvd.nist.gov

cve-2023-49583

sap

btp

security services

integration library

node.js

privilege escalation

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.5%

JSON

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Affected configurations

NVD

Node

sap\@sap\/xssecRange<3.6.0node.js

CPENameOperatorVersion
sap:\@sap\/xssecsap @sap/xsseclt3.6.0

CPE	Name	Operator	Version
sap:\@sap\/xssec	sap @sap/xssec	lt	3.6.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "@sap/xssec",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.6.0"
      }
    ]
  }
]

References

blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/

me.sap.com/notes/3411067

me.sap.com/notes/3412456

me.sap.com/notes/3413475

www.npmjs.com/package/@sap/xssec

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.5%

JSON

Related for CVE-2023-49583

nvd1 osv1 github1 prion1 cvelist1