CVE-2023-50422
- Source
- https://cve.org/CVERecord?id=CVE-2023-50422
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-50422.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-50422
- Aliases
- Related
- Published
- 2023-12-12T02:15:08.587Z
- Modified
- 2025-11-15T07:03:23.330412Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
- References
-
- https://github.com/SAP/cloud-security-services-integration-library/
- https://me.sap.com/notes/3413475
- https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa
- https://mvnrepository.com/artifact/com.sap.cloud.security/java-security
- https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security
- https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
- https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
- https://me.sap.com/notes/3411067
Affected packages
Git / github.com/sap/cloud-security-services-integration-library
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sap/cloud-security-services-integration-library
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.7.0
2.*
2.0.0
2.1.0
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.11.0
2.11.1
2.11.10
2.11.11
2.11.12
2.11.13
2.11.14
2.11.15
2.11.16
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.7
2.11.8
2.11.9
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.14.0
2.14.1
2.14.2
2.15.0
2.16.0
2.2.0
2.3.0
2.4.0-SNAPSHOT
2.4.1-SNAPSHOT
2.4.2-SNAPSHOT
2.4.4
2.4.5
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.8.0
2.8.1
2.8.10
2.8.11
2.8.12
2.8.13
2.8.2
2.8.3
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.9.0
BETA-0.*
BETA-0.1.0
BETA-0.1.6
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-50422.json"
vanir_signatures
[
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-024ff86b",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidator.java",
"function": "validateUrl"
},
"deprecated": false,
"digest": {
"function_hash": "215549137170565092674183792368699531837",
"length": 957.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-03c0b5e7",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidator.java",
"function": "validate"
},
"deprecated": false,
"digest": {
"function_hash": "290824076285326327153859042172165644556",
"length": 286.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-0adccd76",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java",
"function": "validationSucceeds"
},
"deprecated": false,
"digest": {
"function_hash": "162575013618228836601813330459898183868",
"length": 225.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-234bd71a",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "token-client/src/main/java/com/sap/cloud/security/xsuaa/client/DefaultOidcConfigurationService.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"288846055908576599211434153089324906094",
"123267386692557337601594323470909691094",
"250988929911445907917573430282052796641",
"203621980319783483440079908663790908715"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-2ddfdd5e",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidator.java",
"function": "matchesTokenIssuerUrl"
},
"deprecated": false,
"digest": {
"function_hash": "335481745335733236196979312132375280253",
"length": 422.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-2f3603aa",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "java-security/src/main/java/com/sap/cloud/security/token/validation/validators/SapIdJwtSignatureValidator.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"213091714467494436286701075882114413231",
"262131183728520396241144323715564258106",
"240457408032594051826582226295360030843",
"209737190813886878754822322699071125670"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-36264378",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java",
"function": "validationFails_whenIssuerDomainDoesNotMatchIdentityProviderDomains"
},
"deprecated": false,
"digest": {
"function_hash": "64352926323089047273101090334839484199",
"length": 160.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-3ba0e74f",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java",
"function": "configureMock"
},
"deprecated": false,
"digest": {
"function_hash": "288297192688288825181594319017795073607",
"length": 399.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-46e3e8c1",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "token-client/src/main/java/com/sap/cloud/security/xsuaa/client/DefaultOidcConfigurationService.java",
"function": "getDiscoveryEndpointUri"
},
"deprecated": false,
"digest": {
"function_hash": "261771970429639282525539102968418293643",
"length": 201.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-4b55a4cd",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java",
"function": "validationFails_withoutMatchingIasIssuer"
},
"deprecated": false,
"digest": {
"function_hash": "81265108011912510488998568849002120234",
"length": 464.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-4fd504b7",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"71094312692228130041663766836192650442",
"206403309856563425729144589297745874855",
"297915915604126515154970769064671192613",
"203888611360156053971343352042376745123",
"135720833213264897780181946813980432942",
"294990716061954471226239673256338282468",
"13949960933048703422190523362221464240",
"231068128808098192061770342685620854229",
"293486344307588873574382929355105800949",
"239010504512365769086614715974157840408",
"19145091817090674729801426077259172608",
"268766089187749765213835708439253382513",
"20556264190028474442015243964820717574",
"151374338130260446956702894017426501782",
"63108912001328659704585450863817471920",
"49030122271426786939975085904642091963",
"268034322039204903803543243013851628205",
"292932610942331880253027206231758720272",
"124231560892373054395212046390989562330",
"31328469912727273035528278558995589861",
"94341355391144263679240952709655209085",
"172703648690876120883409419600274352234",
"192763531156438984000926746326205391984",
"269483691417418265716926832575332693794",
"298493578849085561454402574449382991077",
"113811749329550575954223911811421490089",
"166351244807715671526598866688297279054",
"93373732552992229609156511962300973436",
"276783136178902458592358585603477114489",
"156516138247226439664099661358733077482",
"337302943147238463572569135129795978667",
"74531458587696574700291676452058345160",
"161067693394294585164403687931444971053",
"75745956645841414241854507462430267964",
"95167543626942982442518019048189812296",
"64541704930471380927758525281676790650",
"13104340202271704537799960028678582286",
"202161286159713418020474695965604344691",
"179917342901573824586909865742544138239",
"175713018784656867159675318729496106258",
"163428080809821437603414818119175836929",
"71441492855099093606601750414266880378",
"223575388129471724794504254802621787979",
"187042055173008457485333757497782037268",
"317272599691181149729301390417192084285",
"129491670578704536503477996897023459820",
"298814715777404867517436595505934510177",
"155452791420435974212661887649221393294",
"134920233219414530586178066187056182033",
"220430999214493687047021933647739401839",
"88515655171945313909030715245303613012",
"114797730905714659404743438767667031744",
"21811388540493478148823652928926807941",
"194533746561390896570356341046317414310",
"277247285813820631664297176273962410504",
"250066885637410381834830919466820838867",
"212716256743514619075608052238434114229",
"87931632691447468400757004112289139251",
"258714024364239012553331078334108966280",
"234600061575716452224169558648938529680",
"32656415166533848263173849684750861702",
"294822443365068440210101867186452925902",
"195716176498620880519753846932109912840",
"126904892233529335637903360769148965010",
"44720709343867478427371231323202388728",
"34788038708139099412088683992064494142",
"41518218168979438053230645892665248670",
"334114599975716346389289767373044104374",
"64258966524432839877018367234832361085",
"193874090077583023120670468119015578975",
"103549086060777787687942041560010586118",
"289221214534478938494352027804232261066",
"80911577925984789400915051185428351640",
"310061193023246622563769256326150782097",
"185916157897824856536051371598442432844",
"7227689873548386964234050465650910834",
"186010413411572040832689488532418917605",
"320498379870040506858844332420015417274",
"239825907111447503790589005629484191505",
"156653614032059472085490581098116999913",
"148472418316902271748158310583791002841",
"274748060425976748306270694716569173693",
"181496754586941870303799561415961887783",
"181575371959891083077599109385258141450",
"245082169381861956997372736909750883202"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-5d2ca61a",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security-it/src/test/java/com/sap/cloud/security/test/performance/SpringSecurityPerformanceIT.java",
"function": "createIasConfigurationBuilder"
},
"deprecated": false,
"digest": {
"function_hash": "71835139699841312391883117475052131943",
"length": 149.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-628857d8",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security-test/src/main/java/com/sap/cloud/security/test/SecurityTest.java",
"function": "getOAuth2ServiceConfigurationBuilderFromFile"
},
"deprecated": false,
"digest": {
"function_hash": "196730495911661534367252540048849857247",
"length": 182.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-6bfc430b",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security-it/src/test/java/com/sap/cloud/security/test/integration/XsuaaIntegrationTest.java",
"function": "xsuaaTokenValidationFails_withIasCombiningValidator"
},
"deprecated": false,
"digest": {
"function_hash": "229473377578633968456719095142313700522",
"length": 658.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-78a559bd",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java",
"function": "setup"
},
"deprecated": false,
"digest": {
"function_hash": "214306608992410763128677096874260203771",
"length": 124.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-8e335e5a",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/main/java/com/sap/cloud/security/token/validation/validators/SapIdJwtSignatureValidator.java",
"function": "getJwksUri"
},
"deprecated": false,
"digest": {
"function_hash": "297679578021611261055300121922492693184",
"length": 561.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-912cd39a",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java",
"function": "validationFails_iasIssuerUrl"
},
"deprecated": false,
"digest": {
"function_hash": "86757630307136913086745626836685153694",
"length": 341.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-920cfc1e",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java",
"function": "validationIgnoresInvalidIssuer_whenIasIssuerIsGiven"
},
"deprecated": false,
"digest": {
"function_hash": "251600664275202447049238613011089251221",
"length": 249.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-9d0bb983",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "java-security-it/src/test/java/com/sap/cloud/security/test/integration/XsuaaIntegrationTest.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"454054808003833319483689731302162716",
"280683503179480942973784803693903523105",
"132366273594115929857386072048249394702",
"97144399944317746336555828365968071934"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-a801a01d",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidator.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"103878551344835499063086610039541608882",
"2943090762035370607033904465267018402",
"246458972879451507236450580777207233698",
"148713154483305057154070239695269214740",
"159387552254933620182303134122047652636",
"44171863206379235199987844519312339113",
"217488087615664167750914875546142418932",
"111077696674115999880080331445117377814",
"222571682164489654047298885083994281973",
"276799902301060855769310241162220872850",
"245838265288341490158828202466480732560",
"210849648281265123704095637131127945586",
"95051109095683890737862012156218636380",
"205856363130364846132730344089679178033",
"67896155116523861552317731082120984986",
"253345984382960436936504991025611617913",
"151254601682442128730726879850029569392",
"16193456204159473634583096943072044499",
"258448616381989460194990397370541210749",
"176753404096288349119874352456922913835",
"245009846548694338022980779223888414679",
"180971499003313114243840730508132916962",
"213207349980638985223544304365523441805",
"39497718313420373102360610225498649606",
"230335299419633411559456291373734646597",
"177077702707115434472346087053109005250",
"334419100332036401448316072506648389721",
"221770919821883402687623373596814906076",
"136241128800151618972008076970701728919",
"100202581560932858656232311081422504094",
"9136221521194266245703177779286006643",
"195084214579997567378537583818835873194",
"202232735172121013166621955262570661313",
"332591594370030906801126384599144777244",
"317362086662291728789820299617460848323",
"146493562693607644430169090604544999679",
"177984180482584374739508546579857433688",
"191950551976505761838970910775703633220",
"154243243856609556086017029493422756299",
"74908154024466104397594923482430604005",
"128256405565626259257134129609728933582",
"189164336938136214439222968661578592820",
"114892047003031362665376077709933899409",
"262991836683761955151079082173123936258",
"210874981060403861984723946730490775135",
"226913179629505910671685801334309905029",
"130039868996076871065481548984043979365",
"276644883451566643705891708795894771265",
"259217809013759208071331555027328490807",
"256462423483530387612267601249919535819",
"124243749901670544918381898193173983947",
"208177766501199458927195252036043850730",
"273638599747182413169682193872826572584",
"282410053545115856818359158605055142308",
"206354866459971649611348973917287451307",
"223451100587334248012691096808328584018",
"161723935219818582961861740453004649320",
"182331832330267582090809310036862248362",
"303137260028106996032109533485345527885",
"172042117687727679521661893692557304306",
"11103884561246905329037157677761385864",
"283723414146087113757843097224257026499",
"269212917207130904084280389175878429902",
"301959861387652420206150828413208697749"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-ad871ffd",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "java-security-test/src/main/java/com/sap/cloud/security/test/SecurityTest.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"223079898830569260993245421986240986680",
"85797578054812873854369570360464073259",
"141921004795757460221771377664096345987",
"89444079911018968656866588212692011089",
"257810369617058484109140842718569129098",
"192835387705670672369197203831058369679",
"175031286433643589159807546319742384000",
"241280886586083806613933970830382370423"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-b287848e",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "java-security-it/src/test/java/com/sap/cloud/security/test/performance/SpringSecurityPerformanceIT.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"234847356944616811882223751722160483740",
"151833295831985357341542824196584400678",
"329192978411993689969195495924277762058",
"18480542862334215947568483477774761177"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-d2f883aa",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java",
"function": "validationSucceeds_whenIasIssuerIsEmptyOrNull"
},
"deprecated": false,
"digest": {
"function_hash": "46010663500503831013857042259552765721",
"length": 257.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-dd6f5e80",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JwtIssuerValidatorTest.java",
"function": "validationIgnoresEmptyIssuer_whenIasIssuerIsGiven"
},
"deprecated": false,
"digest": {
"function_hash": "88257443618644212064670703886975963364",
"length": 269.0
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-e69243fa",
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/SapIdJwtSignatureValidatorTest.java"
},
"deprecated": false,
"digest": {
"line_hashes": [
"246687761271199467296715238359500759045",
"8032070993272194954646713358572362534",
"124742950274946649684537831840643736675",
"160324648924267831006960760111450196774"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/sap/cloud-security-services-integration-library/commit/ea528d2d72109579d4017cfc5de2dd2324f99892",
"id": "CVE-2023-50422-fbd75635",
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "java-security/src/test/java/com/sap/cloud/security/token/validation/validators/SapIdJwtSignatureValidatorTest.java",
"function": "validationFails_WhenAppTidIsNull"
},
"deprecated": false,
"digest": {
"function_hash": "57892450171145734676948378538803679338",
"length": 278.0
}
}
]