Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

3412456 – [CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA

Overview: A critical security vulnerability, identified as CVE-2023-49583, has been discovered in applications developed using SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA. This vulnerability poses a significant risk, as it allows for the escalation of privileges under specific conditions. Attackers could potentially exploit this vulnerability to compromise the confidentiality and integrity of your system.

Affected Components:

  • SAP Business Application Studio
  • SAP Web IDE Full-Stack
  • SAP Web IDE for SAP HANA

Vulnerability Details: Under certain conditions, node.js applications created through the above-mentioned development platforms, intended for deployment to the SAP BTP or Cloud Foundry environment, are vulnerable to CVE-2023-49583. This vulnerability has been assessed with a CVSS v3.0 Base Score of 9.1 out of 10, indicating a high level of severity.

Risk Assessment:

  • Attack Vector: Network (N)
  • Attack Complexity: Low (L)
  • Privileges Required: None (N)
  • User Interaction: None (N)
  • Scope: Unchanged (U)
  • Confidentiality Impact: High (H)
  • Integrity Impact: High (H)
  • Availability Impact: None (N)

Reason and Prerequisites: This vulnerability affects applications developed using the following library versions:

  • @sap/xssec library versions earlier than 3.6.0
  • @sap/approuter versions earlier than 14.4.2

Recommended Action: To mitigate the risk associated with CVE-2023-49583, it is strongly recommended that you take the following actions:

  1. Upgrade Dependencies: Ensure that you promptly upgrade the node.js application dependencies with the latest versions of the libraries @sap/approuter and @sap/xssec.

Additional Information:

  • SAP Security Note, Version: 7
  • Released On: 09.01.2024

References:

  • SAP Security Note 3412456: [CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA.

Conclusion: Taking immediate action to upgrade your application dependencies is crucial to mitigate the risk associated with this vulnerability.

Please contact your SAP support team or security experts for further assistance in addressing this issue and securing your SAP environment.

This advisory is subject to change as new information becomes available or if there are updates to the situation. 

More to explorer

SAP Cloud Connector Certificate Validation Issue

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,

Protect Your SAP with RedRays Security Platform

Explore the Power of Our Scanner with an Interactive Prototype Below