CVE-2021-42064
CRITICALSAP Commerce 1905, 2005, 2011, 2105 - SQL Injection via Flexible Search Java API Parameterized 'in' Clause
Title source: llmDescription
If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/3114134
Scores
CVSS v3
9.8
EPSS
0.0062
EPSS Percentile
70.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (4)
sap/commerce
1905
sap/commerce
2005
sap/commerce
2011
sap/commerce
2105
Published
Dec 14, 2021
Tracked Since
Feb 18, 2026