CVE-2022-22536

Summary

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP NetWeaver and ABAP PlatformKERNEL 7.22affected
SAP SESAP NetWeaver and ABAP Platform8.04affected
SAP SESAP NetWeaver and ABAP Platform7.49affected
SAP SESAP NetWeaver and ABAP Platform7.53affected
SAP SESAP NetWeaver and ABAP Platform7.77affected
SAP SESAP NetWeaver and ABAP Platform7.81affected
SAP SESAP NetWeaver and ABAP Platform7.85affected
SAP SESAP NetWeaver and ABAP Platform7.86affected
SAP SESAP NetWeaver and ABAP Platform7.87affected
SAP SESAP NetWeaver and ABAP PlatformKRNL64UC 8.04affected
SAP SESAP NetWeaver and ABAP Platform7.22affected
SAP SESAP NetWeaver and ABAP Platform7.22EXTaffected
SAP SESAP NetWeaver and ABAP PlatformKRNL64NUC 7.22affected
SAP SESAP Web Dispatcher7.49affected
SAP SESAP Web Dispatcher7.53affected
SAP SESAP Web Dispatcher7.77affected
SAP SESAP Web Dispatcher7.81affected
SAP SESAP Web Dispatcher7.85affected
SAP SESAP Web Dispatcher7.22EXTaffected
SAP SESAP Web Dispatcher7.86affected
SAP SESAP Web Dispatcher7.87affected
SAP SESAP Content Server7.53affected

Weaknesses

  • CWE-444: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References