← Back to CVEs
CVE-2021-42064
CRITICAL9.8
Description
If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published12/14/2021
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
sap:commerce
Weaknesses (CWE)
CWE-89
References
https://launchpad.support.sap.com/#/notes/3114134(cna@sap.com)
https://launchpad.support.sap.com/#/notes/3114134(af854a3a-2127-422b-91ae-364da2661108)
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.