Symptom
Under specific conditions, SAP Edge Integration Cell, integrated with SAP BTP Security Services and reliant on various programming infrastructures, exhibits a critical vulnerability. This vulnerability, identified as CVE-2023-49583 and CVE-2023-50422, allows for an escalation of privileges. Successful exploitation by an unauthenticated attacker could lead to obtaining arbitrary permissions within the application.
Other Terms: CVE-2023-49583, CVE-2023-50422, SAP BTP Security Services Integration Libraries, privilege escalation, XSUAA, IAS, EIC, SAP Integration Suite.
Reason and Prerequisites
The vulnerability impacts SAP Edge Integration Cell versions up to and including 8.9.12.
Solution
This vulnerability has been addressed in SAP Edge Integration Cell version 8.9.13. Users are strongly advised to update their Edge Integration Cell solution to this latest version to mitigate the risk.
For step-by-step instructions on upgrading, refer to the SAP Upgrade Guide.
Workaround
There is no available workaround for this vulnerability.
CVSS Scores
- CVSS v3.0 Base Score: 9.1 / 10
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): High (H)
- Integrity Impact (I): High (H)
- Availability Impact (A): None (N)
