Lucene search

GoogleOSV:GHSA-6MJG-37CP-42X5

HistoryDec 13, 2023 - 1:34 p.m.

Improper Privilege Management in sap-xssec

2023-12-1313:34:36

Google

osv.dev

sap btp security services

privilege escalation

unauthenticated attacker

arbitrary permissions

patched version

cve-2023-50423

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

47.4%

JSON

Impact

SAP BTP Security Services Integration Library ([Python] sap-xssec) allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Patches

Upgrade to patched version >= 4.1.0
We always recommend to upgrade to the latest released version.

Workarounds

No workarounds

References

https://vulners.com/cve/CVE-2023-50423

References

github.com/SAP/cloud-pysec

github.com/SAP/cloud-pysec/commit/d90c9e0733fa9af68bd8ea0b1cf023cf482163ef

github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

47.4%

JSON

Related for OSV:GHSA-6MJG-37CP-42X5