Lucene search

K
cveSapCVE-2022-22536
HistoryFeb 09, 2022 - 11:15 p.m.

CVE-2022-22536

2022-02-0923:15:18
CWE-444
sap
web.nvd.nist.gov
726
In Wild
3
sap
netweaver
abap
java
platform
content server
web dispatcher
vulnerability
request smuggling
request concatenation
cve-2022-22536
nvd

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.958

Percentile

99.5%

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Affected configurations

Nvd
Node
sapcontent_serverMatch7.53
OR
sapnetweaver_application_server_abapMatch7.22
OR
sapnetweaver_application_server_abapMatch7.49
OR
sapnetweaver_application_server_abapMatch7.53
OR
sapnetweaver_application_server_abapMatch7.77
OR
sapnetweaver_application_server_abapMatch7.81
OR
sapnetweaver_application_server_abapMatch7.85
OR
sapnetweaver_application_server_abapMatch7.86
OR
sapnetweaver_application_server_abapMatch7.87
OR
sapnetweaver_application_server_abapMatch8.04
OR
sapnetweaver_application_server_abapMatchkrnl64nuc_7.22
OR
sapnetweaver_application_server_abapMatchkrnl64nuc_7.22ext
OR
sapnetweaver_application_server_abapMatchkrnl64nuc_7.49
OR
sapnetweaver_application_server_abapMatchkrnl64uc_7.22
OR
sapnetweaver_application_server_abapMatchkrnl64uc_7.22ext
OR
sapnetweaver_application_server_abapMatchkrnl64uc_7.49
OR
sapnetweaver_application_server_abapMatchkrnl64uc_7.53
OR
sapnetweaver_application_server_abapMatchkrnl64uc_8.04
OR
sapweb_dispatcherMatch7.22ext
OR
sapweb_dispatcherMatch7.49
OR
sapweb_dispatcherMatch7.53
OR
sapweb_dispatcherMatch7.77
OR
sapweb_dispatcherMatch7.81
OR
sapweb_dispatcherMatch7.85
OR
sapweb_dispatcherMatch7.86
OR
sapweb_dispatcherMatch7.87
VendorProductVersionCPE
sapcontent_server7.53cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*
sapnetweaver_application_server_abap7.22cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:*
sapnetweaver_application_server_abap7.49cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*
sapnetweaver_application_server_abap7.53cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*
sapnetweaver_application_server_abap7.77cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*
sapnetweaver_application_server_abap7.81cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*
sapnetweaver_application_server_abap7.85cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*
sapnetweaver_application_server_abap7.86cpe:2.3:a:sap:netweaver_application_server_abap:7.86:*:*:*:*:*:*:*
sapnetweaver_application_server_abap7.87cpe:2.3:a:sap:netweaver_application_server_abap:7.87:*:*:*:*:*:*:*
sapnetweaver_application_server_abap8.04cpe:2.3:a:sap:netweaver_application_server_abap:8.04:*:*:*:*:*:*:*
Rows per page:
1-10 of 261

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP NetWeaver and ABAP Platform",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "KERNEL 7.22"
      },
      {
        "status": "affected",
        "version": "8.04"
      },
      {
        "status": "affected",
        "version": "7.49"
      },
      {
        "status": "affected",
        "version": "7.53"
      },
      {
        "status": "affected",
        "version": "7.77"
      },
      {
        "status": "affected",
        "version": "7.81"
      },
      {
        "status": "affected",
        "version": "7.85"
      },
      {
        "status": "affected",
        "version": "7.86"
      },
      {
        "status": "affected",
        "version": "7.87"
      },
      {
        "status": "affected",
        "version": "KRNL64UC 8.04"
      },
      {
        "status": "affected",
        "version": "7.22"
      },
      {
        "status": "affected",
        "version": "7.22EXT"
      },
      {
        "status": "affected",
        "version": "KRNL64NUC 7.22"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "SAP Web Dispatcher",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "7.49"
      },
      {
        "status": "affected",
        "version": "7.53"
      },
      {
        "status": "affected",
        "version": "7.77"
      },
      {
        "status": "affected",
        "version": "7.81"
      },
      {
        "status": "affected",
        "version": "7.85"
      },
      {
        "status": "affected",
        "version": "7.22EXT"
      },
      {
        "status": "affected",
        "version": "7.86"
      },
      {
        "status": "affected",
        "version": "7.87"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "SAP Content Server",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "7.53"
      }
    ]
  }
]

Social References

More

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.958

Percentile

99.5%