OpenCVE

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Sap-xssec

Configuration 1 [-]

cpe:2.3:a:sap:sap-xssec:*:*:*:*:*:python:*:*

No data.

References

Link	Providers
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
https://github.com/SAP/cloud-pysec/
https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5
https://me.sap.com/notes/3411067
https://pypi.org/project/sap-xssec/
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

History

Sat, 28 Sep 2024 23:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-269

Sat, 28 Sep 2024 22:30:00 +0000

Type	Values Removed	Values Added
Description	SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.	SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Weaknesses		CWE-749

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2023-12-12T01:52:44.999Z

Updated: 2024-09-28T22:18:31.778Z

Reserved: 2023-12-09T17:19:02.677Z

Link: CVE-2023-50423

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-12T02:15:08.797

Modified: 2024-11-21T08:36:57.623

Link: CVE-2023-50423

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-50423", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2023-12-09T17:19:02.677Z", "datePublished": "2023-12-12T01:52:44.999Z", "dateUpdated": "2024-09-28T22:18:31.778Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "sap-xssec", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "< 4.1.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP\u00a0BTP\u00a0Security Services Integration Library ([Python]\u00a0sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.</p>"}], "value": "SAP\u00a0BTP\u00a0Security Services Integration Library ([Python]\u00a0sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-749", "description": "CWE-749: Exposed Dangerous Method or Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2024-09-28T22:18:31.778Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://me.sap.com/notes/3411067"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}, {"url": "https://pypi.org/project/sap-xssec/"}, {"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"}, {"tags": ["vendor-advisory"], "url": "https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"}, {"url": "https://github.com/SAP/cloud-pysec/"}], "source": {"discovery": "UNKNOWN"}, "title": "Escalation of Privileges in\u00a0SAP\u00a0BTP\u00a0Security Services Integration Library ([Python] cloud-pysec)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:16:46.591Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://me.sap.com/notes/3411067"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["x_transferred"]}, {"url": "https://pypi.org/project/sap-xssec/", "tags": ["x_transferred"]}, {"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/", "tags": ["x_transferred"]}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"}, {"url": "https://github.com/SAP/cloud-pysec/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:sap-xssec:*:*:*:*:*:python:*:*", "matchCriteriaId": "3C039268-10BB-42CF-90A5-7E88DAA2193A", "versionEndExcluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP\u00a0BTP\u00a0Security Services Integration Library ([Python]\u00a0sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application."}, {"lang": "es", "value": "SAP BTP Security Services Integration Library ([Python] sap-xssec): las versiones < 4.1.0 permiten, bajo ciertas condiciones, una escalada de privilegios. Si la explotaci\u00f3n tiene \u00e9xito, un atacante no autenticado puede obtener permisos arbitrarios dentro de la aplicaci\u00f3n."}], "id": "CVE-2023-50423", "lastModified": "2024-11-21T08:36:57.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "cna@sap.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-12T02:15:08.797", "references": [{"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"}, {"source": "cna@sap.com", "tags": ["Product"], "url": "https://github.com/SAP/cloud-pysec/"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"}, {"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3411067"}, {"source": "cna@sap.com", "tags": ["Product"], "url": "https://pypi.org/project/sap-xssec/"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/SAP/cloud-pysec/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3411067"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://pypi.org/project/sap-xssec/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}], "source": "cna@sap.com", "type": "Secondary"}]}