CVE-2021-42064

CWE-89 — SQL Injection3 documents3 sources

Severity

9.8CRITICAL

EPSS

0.6%

top 29.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Commerce SAP Commerce

Timeline

PublishedDec 14

Latest updateDec 15

Description

If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_commerce< 1905+3

▶NVDsap/commerce4 versions+3

🔴Vulnerability Details

GHSA

GHSA-529g-jxw5-837v: If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce -↗2021-12-15

▶

CVEList

CVE-2021-42064: If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce -↗2021-12-14

▶