blob: edfac6b70c9220dc587658b657f9ee7c5bd2d281 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2023-2400",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-50424",
"GHSA-92cg-ghq6-9587",
"GHSA-m8rw-rcpq-2vp2"
],
"summary": "Escalation of privileges in github.com/sap/cloud-security-client-go",
"details": "An unauthenticated attacker can obtain arbitrary permissions within the application under certain conditions.",
"affected": [
{
"package": {
"name": "github.com/sap/cloud-security-client-go",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/sap/cloud-security-client-go/auth",
"symbols": [
"Middleware.Authenticate",
"Middleware.AuthenticateWithProofOfPossession",
"matchesDomain"
]
},
{
"path": "github.com/sap/cloud-security-client-go/oidcclient",
"symbols": [
"NewOIDCTenant",
"OIDCTenant.GetJWKs",
"OIDCTenant.getJWKsFromServer",
"OIDCTenant.performDiscovery"
]
},
{
"path": "github.com/sap/cloud-security-client-go/tokenclient",
"symbols": [
"TokenFlows.ClientCredentials"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://me.sap.com/notes/3411067"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"type": "WEB",
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
},
{
"type": "ADVISORY",
"url": "https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73"
},
{
"type": "FIX",
"url": "https://github.com/SAP/cloud-security-client-go/commit/2e3bd63e152e09f267316a1071034eb5d4b7f498"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-2400",
"review_status": "REVIEWED"
}
}