CVE-2021-41251
Possibility to elevate privileges or get unauthorized access to data
In short
The SAP Cloud SDK could cache destination configurations without proper user information, potentially allowing other users to access the same destination and its permissions. This only affects systems that explicitly enabled destination caching, which is disabled by default.
Technical detail
CWE-200 information exposure vulnerability in @sap-cloud-sdk/core versions prior to 1.52.0 where destination caching mechanism fails to properly associate user context, enabling unauthorized access to cached destinations and their associated permissions. Requires caching to be explicitly enabled; mitigated by disabling caching or upgrading to patched version.
Summary generated and translated by AI from the official description.
@sap-cloud-sdk/core contains the core functionality of the SAP Cloud SDK as well as the SAP Business Technology Platform abstractions. This affects applications on SAP Business Technology Platform that use the SAP Cloud SDK and enabled caching of destinations. In affected versions and in some cases, when user information was missing, destinations were cached without user information, allowing other users to retrieve the same destination with its permissions. By default, destination caching is disabled. The security for caching has been increased. The changes are released in version 1.52.0. Users unable to upgrade are advised to disable destination caching (it is disabled by default).
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
SAP · cloud-sdk-jsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →