PT-2022-1739 · Sap · Sap Content Server +4

Published

2022-02-09

·

Updated

2025-05-05

·

CVE-2022-22536

Report an issue
CVSS v3.1
10
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions:

SAP NetWeaver Application Server ABAP versions 7.53 and earlier

SAP NetWeaver Application Server Java versions 7.53 and earlier

ABAP Platform versions 7.53 and earlier

SAP Content Server versions 7.53 and earlier

SAP Web Dispatcher versions 7.53 and earlier

Description:

An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing the attacker to execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity, and Availability of the system.

Recommendations:

SAP NetWeaver Application Server ABAP versions 7.53 and earlier: Update to a version that includes the security patch for request smuggling and request concatenation.

SAP NetWeaver Application Server Java versions 7.53 and earlier: Update to a version that includes the security patch for request smuggling and request concatenation.

ABAP Platform versions 7.53 and earlier: Update to a version that includes the security patch for request smuggling and request concatenation.

SAP Content Server versions 7.53 and earlier: Update to a version that includes the security patch for request smuggling and request concatenation.

SAP Web Dispatcher versions 7.53 and earlier: Update to a version that includes the security patch for request smuggling and request concatenation.

Exploit

Fix

HTTP Request/Response Smuggling

Weakness Enumeration

CWE-444

Related Identifiers

BDU:2022-01015
CVE-2022-22536

Affected Products

Abap Platform
Sap Content Server
Sap Netweaver Application Server Abap
Sap Netweaver Application Server Java
Sap Web Dispatcher