Lucene search

K

GoogleOSV:GHSA-P99H-PFG6-QRFG

HistoryDec 12, 2023 - 3:31 a.m.

Privilege escalation in sap-xssec

2023-12-1203:31:45

Google

osv.dev

7

sap btp

security services

privileges

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

47.4%

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

References

blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067

github.com/SAP/cloud-pysec

github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5

me.sap.com/notes/3411067

nvd.nist.gov/vuln/detail/CVE-2023-50423

pypi.org/project/sap-xssec

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

47.4%

Related for OSV:GHSA-P99H-PFG6-QRFG

nvd1 prion1 osv2 veracode1 cvelist1 github2 nessus1 cve1