CVE-2021-42064

Summary

If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP Commerce< 1905affected
SAP SESAP Commerce< 2005affected
SAP SESAP Commerce< 2105affected
SAP SESAP Commerce< 2011affected

Weaknesses

  • SQL Injection

ADP Enrichment

CVE Program Container

Additional References

References