CVE-2021-42064
Last modified
CVE-2021-42064 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.. EPSS estimates a 1.09% chance of exploitation in the next 30 days.
Description
If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sap | Commerce | 1905 |
| Sap | Commerce | 2005 |
| Sap | Commerce | 2011 |
| Sap | Commerce | 2105 |
References
- https://launchpad.support.sap.com/#/notes/3114134Permissions Required
- https://launchpad.support.sap.com/#/notes/3114134Permissions Required
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-42064?
How severe is CVE-2021-42064?
How do I fix CVE-2021-42064?
Are you affected by CVE-2021-42064?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST