You may have seen the OSS 3411067 – [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries. It is CVS 9.1/10, so it is terrible that it will allow unauthorized users access to the affected BTP applications.
We have been using some of the affected libraries for our BTP users, both the Java and the Node.JS Approuter we use. That means an attacker may be able to gain access to your Figaf installation without correct authorization. We have not been able to test if Figaf could be attached using the approach. If you are not using BTP to run Figaf, there is no need to upgrade.
We have now released 2312.1 a security update that we recommend all user of Figaf in BTP to upgrade to avoid the potential risk.
You will need to get new BTP users now moved to a git repository. The only change is the change for the Approuter version.
You also need to update the docker image to 2312.1-btp.
We recommend upgrading as soon as possible to avoid any potential problems.
There is also a bug fix for MIG linking that we found after 2312 was released.