Miggo Logo

CVE-2021-41251: Unauthorized access to data in @sap-cloud-sdk/core

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.5543%
Published
11/10/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@sap-cloud-sdk/corenpm< 1.52.01.52.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper cache key isolation. The patches in PR #1769 and #1770 addressed this by: 1) Fixing token handling to ensure user context inclusion, and 2) Changing the default isolation strategy to Tenant_User when caching is enabled. The core issue was in functions responsible for cache key generation (getCacheKey) and destination retrieval (getDestination), which previously used Tenant-based isolation without user identifiers. This allowed cached destinations to be shared between users when user information was missing, violating tenant/user isolation requirements.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is *****ts *ppli**tions on S*P *usin*ss T***nolo*y Pl*t*orm t**t us* t** S*P *lou* S*K *n* *n**l** ****in* o* **stin*tions. In som* **s*s, w**n us*r in*orm*tion w*s missin*, **stin*tions w*r* ****** wit*out us*r in*orm*tion, *llowin* ot*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r ***** k*y isol*tion. T** p*t***s in PR #**** *n* #**** ***r*ss** t*is *y: *) *ixin* tok*n **n*lin* to *nsur* us*r *ont*xt in*lusion, *n* *) ***n*in* t** ****ult isol*tion str*t**y to `T*n*nt_Us*r` w**n ****in*