CVE-2022-22536

Warnung

EPSS 93.82%
Veröffentlicht 09.02.2022 23:15:18
Zuletzt bearbeitet 13.03.2025 16:36:39
Quelle cna@sap.com
Teams Watchlist Login
Unerledigt Login

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

SAP ≫ Content Server Version7.53

SAP ≫ Netweaver Application Server Abap Version7.22

SAP ≫ Netweaver Application Server Abap Version7.49

SAP ≫ Netweaver Application Server Abap Version7.53

SAP ≫ Netweaver Application Server Abap Version7.77

SAP ≫ Netweaver Application Server Abap Version7.81

SAP ≫ Netweaver Application Server Abap Version7.85

SAP ≫ Netweaver Application Server Abap Version7.86

SAP ≫ Netweaver Application Server Abap Version7.87

SAP ≫ Netweaver Application Server Abap Version8.04

SAP ≫ Netweaver Application Server Abap Versionkrnl64nuc_7.22

SAP ≫ Netweaver Application Server Abap Versionkrnl64nuc_7.22ext

SAP ≫ Netweaver Application Server Abap Versionkrnl64nuc_7.49

SAP ≫ Netweaver Application Server Abap Versionkrnl64uc_7.22

SAP ≫ Netweaver Application Server Abap Versionkrnl64uc_7.22ext

SAP ≫ Netweaver Application Server Abap Versionkrnl64uc_7.49

SAP ≫ Netweaver Application Server Abap Versionkrnl64uc_7.53

SAP ≫ Netweaver Application Server Abap Versionkrnl64uc_8.04

SAP ≫ Web Dispatcher Version7.22ext

SAP ≫ Web Dispatcher Version7.49

SAP ≫ Web Dispatcher Version7.53

SAP ≫ Web Dispatcher Version7.77

SAP ≫ Web Dispatcher Version7.81

SAP ≫ Web Dispatcher Version7.85

SAP ≫ Web Dispatcher Version7.86

SAP ≫ Web Dispatcher Version7.87

18.08.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

SAP Multiple Products HTTP Request Smuggling Vulnerability

Schwachstelle

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.82%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

Not Applicable

https://launchpad.support.sap.com/#/notes/3123396

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2022-22536

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-22536

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-22536

EUVD