Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

[CVE-2021-42064] SQL Injection vulnerability in SAP Commerce, SAP security note 3114134

Description

Symptom

If SAP Commerce is configured to use an Oracle database and if a query is created using the flexible search java api with a parametrized “in” clause SAP Commerce allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parametrized “in” clause accepts more than 1000 values.

The problem can affect any kind of extension using the flexible search api with an “in” clause with partially untrusted input and potentially some internal components of the platform when using an Oracle database.

Other Terms

Injection attack, blind SQL injection, database vulnerabilities, CVE-2021-42064

Reason and Prerequisites

Any SAP Commerce installation using Oracle database is impacted.

Solution

SAP Commerce addresses this vulnerability by properly escaping any value passed to parametrized “in” clause when handling flexible search queries having more than 1000 values used in this clause.

The following patch releases address this vulnerability:

The Software Downloads of these or later patches are available in the SAP Support Portal. For information about installing patches, see About Patch Releases.

 

Available fix and Supported packages

HY_COM|1905|1905
HY_COM|2005|2005
HY_COM|2105|2105
HY_COM|2011|2011

Affected component

HY_COM

CVSS

Score:8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploit


Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/3114134

TAGS

Injection attack, blind SQL injection, database vulnerabilities, CVE-2021-42064

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.