CVE-2021-41251

Name of the Vulnerable Software and Affected Versions @sap-cloud-sdk/core versions prior to 1.52.0

Description The issue affects applications on SAP Business Technology Platform that use the SAP Cloud SDK and have enabled caching of destinations. In some cases, when user information was missing, destinations were cached without user information, allowing other users to retrieve the same destination with its permissions. By default, destination caching is disabled. If it is enabled, the maximum lifetime is 5 minutes, which limits the attack vector.

Recommendations For versions prior to 1.52.0, update to version 1.52.0 to resolve the issue. As a temporary workaround for users unable to upgrade, disable destination caching, as it is disabled by default.