Beware of Privilege Escalation Vulnerability in SAP BTP Security Services Integration Library

CVECVE-2023-50424
CVSScvssV3_1: 9.1
SourceCVE-2023-50424

SAP BTP Security Services Integration Library, which is a Golang library used to integrate applications with SAP’s security services, is affected by a critical privilege escalation vulnerability. Versions prior to 0.17.0 of this library allow an unauthenticated attacker to potentially gain arbitrary permissions within applications using the library under certain conditions.

The vulnerability arises due to insufficient validation of access tokens provided to the library. By exploiting this, an attacker can potentially craft malicious tokens that are accepted by the library as valid. This would enable the attacker to perform any actions within the application that a privileged user is supposed to.

As an application developer or administrator using versions of this library prior to 0.17.0, it is recommended to immediately upgrade to the latest version to prevent exploitation. It is also advisable to review the access control mechanisms of your applications to ensure no malicious actors can abuse any vulnerabilities to escalate their privileges. Application users should check with their developers/administrators if the latest version is in use to avoid falling victim to attacks targeting this vulnerability.

References