{"containers": {"cna": {"affected": [{"product": "cloud-sdk-js", "vendor": "SAP", "versions": [{"status": "affected", "version": "< 1.52.0"}]}], "descriptions": [{"lang": "en", "value": "@sap-cloud-sdk/core contains the core functionality of the SAP Cloud SDK as well as the SAP Business Technology Platform abstractions. This affects applications on SAP Business Technology Platform that use the SAP Cloud SDK and enabled caching of destinations. In affected versions and in some cases, when user information was missing, destinations were cached without user information, allowing other users to retrieve the same destination with its permissions. By default, destination caching is disabled. The security for caching has been increased. The changes are released in version 1.52.0. Users unable to upgrade are advised to disable destination caching (it is disabled by default)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-05T22:50:12.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SAP/cloud-sdk-js/security/advisories/GHSA-gp2f-254m-rh32"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/SAP/cloud-sdk-js/pull/1769"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/SAP/cloud-sdk-js/pull/1770"}], "source": {"advisory": "GHSA-gp2f-254m-rh32", "discovery": "UNKNOWN"}, "title": "Possibility to elevate privileges or get unauthorized access to data", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41251", "STATE": "PUBLIC", "TITLE": "Possibility to elevate privileges or get unauthorized access to data"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cloud-sdk-js", "version": {"version_data": [{"version_value": "< 1.52.0"}]}}]}, "vendor_name": "SAP"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "@sap-cloud-sdk/core contains the core functionality of the SAP Cloud SDK as well as the SAP Business Technology Platform abstractions. This affects applications on SAP Business Technology Platform that use the SAP Cloud SDK and enabled caching of destinations. In affected versions and in some cases, when user information was missing, destinations were cached without user information, allowing other users to retrieve the same destination with its permissions. By default, destination caching is disabled. The security for caching has been increased. The changes are released in version 1.52.0. Users unable to upgrade are advised to disable destination caching (it is disabled by default)."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/SAP/cloud-sdk-js/security/advisories/GHSA-gp2f-254m-rh32", "refsource": "CONFIRM", "url": "https://github.com/SAP/cloud-sdk-js/security/advisories/GHSA-gp2f-254m-rh32"}, {"name": "https://github.com/SAP/cloud-sdk-js/pull/1769", "refsource": "MISC", "url": "https://github.com/SAP/cloud-sdk-js/pull/1769"}, {"name": "https://github.com/SAP/cloud-sdk-js/pull/1770", "refsource": "MISC", "url": "https://github.com/SAP/cloud-sdk-js/pull/1770"}]}, "source": {"advisory": "GHSA-gp2f-254m-rh32", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.645Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/SAP/cloud-sdk-js/security/advisories/GHSA-gp2f-254m-rh32"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SAP/cloud-sdk-js/pull/1769"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/SAP/cloud-sdk-js/pull/1770"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41251", "datePublished": "2021-11-05T22:50:12.000Z", "dateReserved": "2021-09-15T00:00:00.000Z", "dateUpdated": "2024-08-04T03:08:31.645Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:cloud_sdk:*:*:*:*:*:java:*:*", "matchCriteriaId": "50ED26B5-55DE-48D8-94AF-76882D41D76E", "versionEndExcluding": "1.52.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "@sap-cloud-sdk/core contains the core functionality of the SAP Cloud SDK as well as the SAP Business Technology Platform abstractions. This affects applications on SAP Business Technology Platform that use the SAP Cloud SDK and enabled caching of destinations. In affected versions and in some cases, when user information was missing, destinations were cached without user information, allowing other users to retrieve the same destination with its permissions. By default, destination caching is disabled. The security for caching has been increased. The changes are released in version 1.52.0. Users unable to upgrade are advised to disable destination caching (it is disabled by default)."}, {"lang": "es", "value": "@sap-cloud-sdk/core contiene la funcionalidad principal del SDK de SAP Cloud, as\u00ed como las abstracciones de SAP Business Technology Platform. Esto afecta a las aplicaciones de SAP Business Technology Platform que usan el SDK de SAP Cloud y que permiten el almacenamiento en cach\u00e9 de los destinos. En las versiones afectadas y en algunos casos, cuando faltaba la informaci\u00f3n del usuario, los destinos se almacenaban en la cach\u00e9 sin la informaci\u00f3n del usuario, lo que permit\u00eda a otros usuarios recuperar el mismo destino con sus permisos. Por defecto, el almacenamiento en cach\u00e9 de los destinos est\u00e1 desactivado. Se ha aumentado la seguridad del almacenamiento en cach\u00e9. Los cambios se publican en la versi\u00f3n 1.52.0. Se aconseja a los usuarios que no puedan actualizarse que desactiven el almacenamiento en cach\u00e9 de los destinos (est\u00e1 desactivado por defecto)"}], "id": "CVE-2021-41251", "lastModified": "2024-11-21T06:25:53.463", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-11-05T23:15:08.850", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/SAP/cloud-sdk-js/pull/1769"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/SAP/cloud-sdk-js/pull/1770"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/SAP/cloud-sdk-js/security/advisories/GHSA-gp2f-254m-rh32"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/SAP/cloud-sdk-js/pull/1769"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/SAP/cloud-sdk-js/pull/1770"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/SAP/cloud-sdk-js/security/advisories/GHSA-gp2f-254m-rh32"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}