Skip to content

Improper Privilege Management in sap-xssec

Critical severity GitHub Reviewed Published Dec 12, 2023 in SAP/cloud-pysec • Updated Dec 13, 2023

Package

pip sap-xssec (pip)

Affected versions

< 4.1.0

Patched versions

4.1.0

Description

Impact

SAP BTP Security Services Integration Library ([Python] sap-xssec) allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Patches

Upgrade to patched version >= 4.1.0
We always recommend to upgrade to the latest released version.

Workarounds

No workarounds

References

https://www.cve.org/CVERecord?id=CVE-2023-50423

References

@anettlippert anettlippert published to SAP/cloud-pysec Dec 12, 2023
Published to the GitHub Advisory Database Dec 13, 2023
Reviewed Dec 13, 2023
Last updated Dec 13, 2023

Severity

Critical
9.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-6mjg-37cp-42x5

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.