Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

3412456 – [CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA

Overview: A critical security vulnerability, identified as CVE-2023-49583, has been discovered in applications developed using SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA. This vulnerability poses a significant risk, as it allows for the escalation of privileges under specific conditions. Attackers could potentially exploit this vulnerability to compromise the confidentiality and integrity of your system.

Affected Components:

  • SAP Business Application Studio
  • SAP Web IDE Full-Stack
  • SAP Web IDE for SAP HANA

Vulnerability Details: Under certain conditions, node.js applications created through the above-mentioned development platforms, intended for deployment to the SAP BTP or Cloud Foundry environment, are vulnerable to CVE-2023-49583. This vulnerability has been assessed with a CVSS v3.0 Base Score of 9.1 out of 10, indicating a high level of severity.

Risk Assessment:

  • Attack Vector: Network (N)
  • Attack Complexity: Low (L)
  • Privileges Required: None (N)
  • User Interaction: None (N)
  • Scope: Unchanged (U)
  • Confidentiality Impact: High (H)
  • Integrity Impact: High (H)
  • Availability Impact: None (N)

Reason and Prerequisites: This vulnerability affects applications developed using the following library versions:

  • @sap/xssec library versions earlier than 3.6.0
  • @sap/approuter versions earlier than 14.4.2

Recommended Action: To mitigate the risk associated with CVE-2023-49583, it is strongly recommended that you take the following actions:

  1. Upgrade Dependencies: Ensure that you promptly upgrade the node.js application dependencies with the latest versions of the libraries @sap/approuter and @sap/xssec.

Additional Information:

  • SAP Security Note, Version: 7
  • Released On: 09.01.2024

References:

  • SAP Security Note 3412456: [CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA.

Conclusion: Taking immediate action to upgrade your application dependencies is crucial to mitigate the risk associated with this vulnerability.

Please contact your SAP support team or security experts for further assistance in addressing this issue and securing your SAP environment.

This advisory is subject to change as new information becomes available or if there are updates to the situation. 

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.