Code injection

2021-12-1416:15:00

PRIOn knowledge base

www.prio-n.com

9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.5%

JSON

If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized “in” clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized “in” clause accepts more than 1000 values.

CPENameOperatorVersion
commerceeq1905
commerceeq2005
commerceeq2011
commerceeq2105

Name	Operator	Version
commerce	eq	1905
commerce	eq	2005
commerce	eq	2011
commerce	eq	2105

References

launchpad.support.sap.com/

wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021