CVE-2021-41251: 
JavaScript vulnerability analysis and mitigation

CVE-2021-41251 affects the @sap-cloud-sdk/core package, which contains core functionality of the SAP Cloud SDK and SAP Business Technology Platform abstractions. The vulnerability was discovered in versions prior to 1.52.0, where applications using the SAP Cloud SDK with enabled destination caching could be affected. The issue was disclosed and patched on November 5, 2021 (GitHub Advisory).

The vulnerability occurs when user information is missing during destination caching operations. In such cases, destinations were cached without user information, which could allow other users to retrieve the same destination along with its associated permissions. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could lead to unauthorized access to data and potential privilege escalation. When exploited, other users could access destinations with permissions that should have been restricted. However, the impact is limited by the fact that destination caching is disabled by default, and when enabled, has a maximum lifetime of 5 minutes (GitHub Advisory).

The vulnerability has been patched in version 1.52.0 of @sap-cloud-sdk/core. Users are advised to upgrade to this version or later. For those unable to upgrade immediately, the recommended workaround is to disable destination caching, which is already the default setting (GitHub Advisory).