CVE-2022-22536
SAP Multiple Products HTTP Request Smuggling Vulnerability
Severity Score
10.0
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
-
*SSVC
Descriptions
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 y SAP Web Dispatcher son vulnerables para el contrabando de peticiones y la concatenación de peticiones. Un atacante no autenticado puede añadir datos arbitrarios a la petición de la víctima. De este modo, el atacante puede ejecutar funciones suplantando a la víctima o envenenar las cachés web intermediarias. Un ataque con éxito podría resultar en el compromiso completo de la Confidencialidad, Integridad y Disponibilidad del sistema
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-01-04 CVE Reserved
- 2022-02-09 CVE Published
- 2022-02-15 First Exploit
- 2022-08-18 Exploited in Wild
- 2022-09-08 KEV Due Date
- 2024-08-03 CVE Updated
- 2024-09-15 EPSS Updated
CWE
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/antx-code/CVE-2022-22536 | 2022-02-15 | |
| https://github.com/tess-ss/SAP-memory-pipes-desynchronization-vulnerability-MPI-CVE-2022-22536 | 2022-04-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | 2024-06-28 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sap Search vendor "Sap" | Content Server Search vendor "Sap" for product "Content Server" | 7.53 Search vendor "Sap" for product "Content Server" and version "7.53" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | 7.22 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "7.22" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | 7.49 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "7.49" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | 7.53 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "7.53" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | 7.77 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "7.77" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | 7.81 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "7.81" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | 7.85 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "7.85" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | 7.86 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "7.86" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | 7.87 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "7.87" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | 8.04 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "8.04" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | krnl64nuc_7.22 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "krnl64nuc_7.22" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | krnl64nuc_7.22ext Search vendor "Sap" for product "Netweaver Application Server Abap" and version "krnl64nuc_7.22ext" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | krnl64nuc_7.49 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "krnl64nuc_7.49" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | krnl64uc_7.22 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "krnl64uc_7.22" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | krnl64uc_7.22ext Search vendor "Sap" for product "Netweaver Application Server Abap" and version "krnl64uc_7.22ext" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | krnl64uc_7.49 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "krnl64uc_7.49" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | krnl64uc_7.53 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "krnl64uc_7.53" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Netweaver Application Server Abap Search vendor "Sap" for product "Netweaver Application Server Abap" | krnl64uc_8.04 Search vendor "Sap" for product "Netweaver Application Server Abap" and version "krnl64uc_8.04" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Web Dispatcher Search vendor "Sap" for product "Web Dispatcher" | 7.22ext Search vendor "Sap" for product "Web Dispatcher" and version "7.22ext" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Web Dispatcher Search vendor "Sap" for product "Web Dispatcher" | 7.49 Search vendor "Sap" for product "Web Dispatcher" and version "7.49" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Web Dispatcher Search vendor "Sap" for product "Web Dispatcher" | 7.53 Search vendor "Sap" for product "Web Dispatcher" and version "7.53" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Web Dispatcher Search vendor "Sap" for product "Web Dispatcher" | 7.77 Search vendor "Sap" for product "Web Dispatcher" and version "7.77" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Web Dispatcher Search vendor "Sap" for product "Web Dispatcher" | 7.81 Search vendor "Sap" for product "Web Dispatcher" and version "7.81" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Web Dispatcher Search vendor "Sap" for product "Web Dispatcher" | 7.85 Search vendor "Sap" for product "Web Dispatcher" and version "7.85" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Web Dispatcher Search vendor "Sap" for product "Web Dispatcher" | 7.86 Search vendor "Sap" for product "Web Dispatcher" and version "7.86" | - |
Affected
| ||||||
| Sap Search vendor "Sap" | Web Dispatcher Search vendor "Sap" for product "Web Dispatcher" | 7.87 Search vendor "Sap" for product "Web Dispatcher" and version "7.87" | - |
Affected
| ||||||