SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HSap Content Server
APPSap7.53Sap Netweaver Application Server Abap
APPSap7.227.497.537.777.817.857.867.878.04krnl64nuc_7.22krnl64nuc_7.22extkrnl64nuc_7.49krnl64uc_7.22krnl64uc_7.22extkrnl64uc_7.49+ 2 więcejSap Web Dispatcher
APPSap7.22ext7.497.537.777.817.857.867.87
CISA KEV — detailsi
- Vendori
- SAP
- Producti
- Multiple Products
- Added to KEVi
- August 18, 2022
- Remediation deadline (US Federal)i
- September 8, 2022(overdue)
Apply updates per vendor instructions.
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.
Related vulnerabilities
SAP CRM / S/4HANA Scripting Editor — nieautoryzowane wykonanie SQL
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong aut...
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752,...
An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO ...
SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, ...