CVE-2021-42064: SQL Injection
First published: Tue Dec 14 2021(Updated: )
If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP Commerce | =1905 | |
| SAP Commerce | =2005 | |
| SAP Commerce | =2011 | |
| SAP Commerce | =2105 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/sap
- canonical/sap commerce
- version/sap commerce/1905
- version/sap commerce/2005
- version/sap commerce/2011
- version/sap commerce/2105