CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-29108 – IP filter vulnerability in ABAP Platform and SAP Web Dispatcher
https://notcve.org/view.php?id=CVE-2023-29108
The IP filter in ABAP Platform and SAP Web Dispatcher - versions WEBDISP 7.85, 7.89, KERNEL 7.85, 7.89, 7.91, may be vulnerable by erroneous IP netmask handling. This may enable access to backend applications from unwanted sources. • https://launchpad.support.sap.com/#/notes/3315312 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-923: Improper Restriction of Communication Channel to Intended Endpoints •
CVSS: 9.4EPSS: 4%CPEs: 9EXPL: 2CVE-2021-38162 – SAP Web Dispatcher HTTP Request Smuggling
https://notcve.org/view.php?id=CVE-2021-38162
SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify any information on the server or consume server resources making it temporarily unavailable. SAP Web Dispatcher versiones - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7. 83 unos procesos permiten a un atacante no autenticado enviar una petición maliciosa diseñada a través de una red a un servidor front-end que puede, a lo largo de varios intentos, hacer que un servidor back-end confunda los límites de los mensajes maliciosos y legítimos. Esto puede resultar en que el servidor back-end ejecutar una carga útil maliciosa que puede ser usada para leer o modificar cualquier información en el servidor o consumir recursos del servidor haciéndolo temporalmente no disponible SAP Web Dispatcher suffers from an HTTP request smuggling vulnerability. • http://packetstormsecurity.com/files/166964/SAP-Web-Dispatcher-HTTP-Request-Smuggling.html http://seclists.org/fulldisclosure/2022/May/3 https://launchpad.support.sap.com/#/notes/3080567 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 5.4EPSS: 0%CPEs: 30EXPL: 0CVE-2021-33683
https://notcve.org/view.php?id=CVE-2021-33683
SAP Web Dispatcher and Internet Communication Manager (ICM), versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, process invalid HTTP header. The incorrect handling of the invalid Transfer-Encoding header in a particular manner leads to a possibility of HTTP Request Smuggling attack. An attacker could exploit this vulnerability to bypass web application firewall protection, divert sensitive data such as customer requests, session credentials, etc. SAP Web Dispatcher e Internet Communication Manager (ICM), versiones - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22EXT, 7. 49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, procesan un encabezado HTTP no válido. El manejo incorrecto de la cabecera Transfer-Encoding no válida de manera particular conlleva a una posibilidad de ataque de contrabando de peticiones HTTP. • https://launchpad.support.sap.com/#/notes/3000663 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •