CVE-2021-42064

Name of the Vulnerable Software and Affected Versions SAP Commerce versions 1905, 2005, 2105, 2011

Description The issue allows an attacker to execute crafted database queries, exposing the backend database, if the system is configured to use an Oracle database and a query is created using the flexible search Java API with a parameterized "in" clause. This vulnerability is present when the parameterized "in" clause accepts more than 1000 values.

Recommendations For versions 1905, 2005, 2105, 2011, consider restricting the number of values accepted by the parameterized "in" clause to 1000 or less as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.