Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

[CVE-2021-42064] SQL Injection vulnerability in SAP Commerce, SAP security note 3114134



If SAP Commerce is configured to use an Oracle database and if a query is created using the flexible search java api with a parametrized “in” clause SAP Commerce allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parametrized “in” clause accepts more than 1000 values.

The problem can affect any kind of extension using the flexible search api with an “in” clause with partially untrusted input and potentially some internal components of the platform when using an Oracle database.

Other Terms

Injection attack, blind SQL injection, database vulnerabilities, CVE-2021-42064

Reason and Prerequisites

Any SAP Commerce installation using Oracle database is impacted.


SAP Commerce addresses this vulnerability by properly escaping any value passed to parametrized “in” clause when handling flexible search queries having more than 1000 values used in this clause.

The following patch releases address this vulnerability:

The Software Downloads of these or later patches are available in the SAP Support Portal. For information about installing patches, see About Patch Releases.


Available fix and Supported packages


Affected component





Exploit is not available.
For detailed information please contact the mail [email protected].



Injection attack, blind SQL injection, database vulnerabilities, CVE-2021-42064

More to explorer

SAP Security For All

RedRays Security Platform for Penetration testers and Bug hunters

The product package is specifically created for cyber security experts who have encountered SAP while participating in bug bounty programs.

RedRays Security Platform for SAP Consultants

The product package is designed for SAP consultants conducting security assessments of SAP ERP systems. We provide essential tools and resources to help professionals in this field conduct their work effectively.

RedRays Security Platform for Enterprises

The product package is specifically optimized to cater to the needs of both small/medium and large companies who are seeking to streamline the process of organizing a comprehensive security system for ERP systems.