vulndb/data/osv/GO-2023-2400.json

{
  "schema_version": "1.3.1",
  "id": "GO-2023-2400",
  "modified": "0001-01-01T00:00:00Z",
  "published": "0001-01-01T00:00:00Z",
  "aliases": [
    "CVE-2023-50424",
    "GHSA-92cg-ghq6-9587",
    "GHSA-m8rw-rcpq-2vp2"
  ],
  "summary": "Escalation of privileges in github.com/sap/cloud-security-client-go",
  "details": "An unauthenticated attacker can obtain arbitrary permissions within the application under certain conditions.",
  "affected": [
    {
      "package": {
        "name": "github.com/sap/cloud-security-client-go",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17.0"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/sap/cloud-security-client-go/auth",
            "symbols": [
              "Middleware.Authenticate",
              "Middleware.AuthenticateWithProofOfPossession",
              "matchesDomain"
            ]
          },
          {
            "path": "github.com/sap/cloud-security-client-go/oidcclient",
            "symbols": [
              "NewOIDCTenant",
              "OIDCTenant.GetJWKs",
              "OIDCTenant.getJWKsFromServer",
              "OIDCTenant.performDiscovery"
            ]
          },
          {
            "path": "github.com/sap/cloud-security-client-go/tokenclient",
            "symbols": [
              "TokenFlows.ClientCredentials"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3411067"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    },
    {
      "type": "WEB",
      "url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73"
    },
    {
      "type": "FIX",
      "url": "https://github.com/SAP/cloud-security-client-go/commit/2e3bd63e152e09f267316a1071034eb5d4b7f498"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2023-2400",
    "review_status": "REVIEWED"
  }
}