Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

3413475 – [Multiple CVEs] Escalation of Privileges in SAP Edge Integration Cell

Symptom

Under specific conditions, SAP Edge Integration Cell, integrated with SAP BTP Security Services and reliant on various programming infrastructures, exhibits a critical vulnerability. This vulnerability, identified as CVE-2023-49583 and CVE-2023-50422, allows for an escalation of privileges. Successful exploitation by an unauthenticated attacker could lead to obtaining arbitrary permissions within the application.

Other Terms: CVE-2023-49583, CVE-2023-50422, SAP BTP Security Services Integration Libraries, privilege escalation, XSUAA, IAS, EIC, SAP Integration Suite.

Reason and Prerequisites

The vulnerability impacts SAP Edge Integration Cell versions up to and including 8.9.12.

Solution

This vulnerability has been addressed in SAP Edge Integration Cell version 8.9.13. Users are strongly advised to update their Edge Integration Cell solution to this latest version to mitigate the risk.

For step-by-step instructions on upgrading, refer to the SAP Upgrade Guide.

Workaround

There is no available workaround for this vulnerability.

CVSS Scores

  • CVSS v3.0 Base Score: 9.1 / 10
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality Impact (C): High (H)
  • Integrity Impact (I): High (H)
  • Availability Impact (A): None (N)

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.