5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41251

GHSA ID

GHSA-gp2f-254m-rh32

EPSS Score

0.5543%

CWE

CWE-200

Published

11/10/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41251

CVE-2021-41251: Unauthorized access to data in @sap-cloud-sdk/core

Impact

This affects applications on SAP Business Technology Platform that use the SAP Cloud SDK and enabled caching of destinations. In some cases, when user information was missing, destinations were cached without user information, allowing other users to retrieve the same destination with its permissions. By default, destination caching is disabled. If it is enabled the maximum lifetime is 5 minutes which limits the attack vector.

Patches

The problem was fixed by #1769 and #1770. The security for caching has been increased. The changes are released in version 1.52.0.

Workarounds

Disable destination caching (it is disabled by default).

References

destination cache API docs

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/SAP/cloud-sdk-js

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41251

GHSA ID

GHSA-gp2f-254m-rh32

EPSS Score

0.5543%

CWE

CWE-200

Published

11/10/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@sap-cloud-sdk/core	npm	< 1.52.0	1.52.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper cache key isolation. The patches in PR #1769 and #1770 addressed this by: 1) Fixing token handling to ensure user context inclusion, and 2) Changing the default isolation strategy to Tenant_User when caching is enabled. The core issue was in functions responsible for cache key generation (getCacheKey) and destination retrieval (getDestination), which previously used Tenant-based isolation without user identifiers. This allowed cached destinations to be shared between users when user information was missing, violating tenant/user isolation requirements.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is *****ts *ppli**tions on S*P *usin*ss T***nolo*y Pl*t*orm t**t us* t** S*P *lou* S*K *n* *n**l** ****in* o* **stin*tions. In som* **s*s, w**n us*r in*orm*tion w*s missin*, **stin*tions w*r* ****** wit*out us*r in*orm*tion, *llowin* ot*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r ***** k*y isol*tion. T** p*t***s in PR #**** *n* #**** ***r*ss** t*is *y: *) *ixin* tok*n **n*lin* to *nsur* us*r *ont*xt in*lusion, *n* *) ***n*in* t** ****ult isol*tion str*t**y to `T*n*nt_Us*r` w**n ****in*

5.9

Basic Information

Concerned about an active attack path?

CVE-2021-41251: Unauthorized access to data in @sap-cloud-sdk/core

Impact

Patches

Workarounds

References

For more information

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI