WARNING: CRITICAL VULNERABILITIES IN MULTIPLE SAP BUSINESS TECHNOLOGY PLATFORM (BTP) SECURITY SERVICES INTEGRATION LIBRARIES
CVE-2023-49583
CVSS score: 9.1 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2023-50422
CVSS score: 9.1 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2023-50423
CVSS score: 9.1 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2023-50424
CVSS score: 9.1 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Bronnen
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
Risico’s
SAP BTP Security Services Integration Libraries for Node.js, Python, Java and Go all contain high severity vulnerabilities which could allow an unauthenticated remote attacker to escalate privileges on the targeted system.
Beschrijving
Due to improper privilege management within the SAP BTP Security Services Integration Libraries for Node.js, Python, Java and Go, an attacker could be allowed, under certain conditions, to perform an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Aanbevolen acties
SAP recommends updating your SAP Business Technology Platform (BTP) Security Services Integration Libraries to the latest version to stay patched:
- SAP BTP Security Services Integration Library ([Node.js] @sap/xssec – version 3.6.0
- SAP BTP Security Services Integration Library ([Python] sap-xssec) - version 4.1.0
- SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – version 2.17.0
- SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – version 3.3.0
- SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) – version 0.17.0
Referenties
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
https://nvd.nist.gov/vuln/detail/CVE-2023-49583
https://nvd.nist.gov/vuln/detail/CVE-2023-50422
https://nvd.nist.gov/vuln/detail/CVE-2023-50423
https://nvd.nist.gov/vuln/detail/CVE-2023-50424