CVE-2021-41251Sensitive Information Exposure in SAP Cloud-sdk-js

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
5.9MEDIUMNVD
EPSS
0.3%
top 43.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
SAP Cloud-sdk-jsSAP Cloud SDKSap-cloud-sdk Core
Timeline
PublishedNov 5
Latest updateNov 10

Description

@sap-cloud-sdk/core contains the core functionality of the SAP Cloud SDK as well as the SAP Business Technology Platform abstractions. This affects applications on SAP Business Technology Platform that use the SAP Cloud SDK and enabled caching of destinations. In affected versions and in some cases, when user information was missing, destinations were cached without user information, allowing other users to retrieve the same destination with its permissions. By default, destination caching is di

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

npmsap-cloud-sdk/core< 1.52.0
NVDsap/cloud_sdk< 1.52.0
CVEListV5sap/cloud-sdk-js< 1.52.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Unauthorized access to data in @sap-cloud-sdk/core2021-11-10
GHSA
Unauthorized access to data in @sap-cloud-sdk/core2021-11-10
CVEList
Possibility to elevate privileges or get unauthorized access to data2021-11-05
CVE-2021-41251 — Sensitive Information Exposure in SAP | cvebase