CVE-2021-42064
published 2021-12-14CVE-2021-42064: If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | commerce | — | — |
| sap | commerce | — | — |
| sap | commerce | — | — |
| sap | commerce | — | — |
| sap_se | sap_commerce | < 1905 | 1905 |
| sap_se | sap_commerce | < 2005 | 2005 |
| sap_se | sap_commerce | < 2105 | 2105 |
| sap_se | sap_commerce | < 2011 | 2011 |