| { |
| "schema_version": "1.3.1", |
| "id": "GO-2023-2400", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2023-50424", |
| "GHSA-92cg-ghq6-9587", |
| "GHSA-m8rw-rcpq-2vp2" |
| ], |
| "summary": "Escalation of privileges in github.com/sap/cloud-security-client-go", |
| "details": "An unauthenticated attacker can obtain arbitrary permissions within the application under certain conditions.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/sap/cloud-security-client-go", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "0.17.0" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/sap/cloud-security-client-go/auth", |
| "symbols": [ |
| "Middleware.Authenticate", |
| "Middleware.AuthenticateWithProofOfPossession", |
| "matchesDomain" |
| ] |
| }, |
| { |
| "path": "github.com/sap/cloud-security-client-go/oidcclient", |
| "symbols": [ |
| "NewOIDCTenant", |
| "OIDCTenant.GetJWKs", |
| "OIDCTenant.getJWKsFromServer", |
| "OIDCTenant.performDiscovery" |
| ] |
| }, |
| { |
| "path": "github.com/sap/cloud-security-client-go/tokenclient", |
| "symbols": [ |
| "TokenFlows.ClientCredentials" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "WEB", |
| "url": "https://me.sap.com/notes/3411067" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/" |
| }, |
| { |
| "type": "ADVISORY", |
| "url": "https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/SAP/cloud-security-client-go/commit/2e3bd63e152e09f267316a1071034eb5d4b7f498" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2023-2400", |
| "review_status": "REVIEWED" |
| } |
| } |