CVE-2021-41251: Unauthorized access to data in @sap-cloud-sdk/core
5.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5543%
CWE
Published
11/10/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@sap-cloud-sdk/core | npm | < 1.52.0 | 1.52.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper cache key isolation. The patches in PR #1769 and #1770 addressed this by: 1) Fixing token handling to ensure user context inclusion, and 2) Changing the default isolation strategy to Tenant_User
when caching is enabled. The core issue was in functions responsible for cache key generation (getCacheKey
) and destination retrieval (getDestination
), which previously used Tenant-based isolation without user identifiers. This allowed cached destinations to be shared between users when user information was missing, violating tenant/user isolation requirements.