CVE-2022-22536: SAP Multiple Products HTTP Request Smuggling Vulnerability
First published: Wed Feb 09 2022(Updated: )
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
Credit: cna@sap.com cna@sap.com cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP Multiple Products | ||
| SAP Content Server | =7.53 | |
| SAP NetWeaver Application Server | =7.22 | |
| SAP NetWeaver Application Server | =7.49 | |
| SAP NetWeaver Application Server | =7.53 | |
| SAP NetWeaver Application Server | =7.77 | |
| SAP NetWeaver Application Server | =7.81 | |
| SAP NetWeaver Application Server | =7.85 | |
| SAP NetWeaver Application Server | =7.86 | |
| SAP NetWeaver Application Server | =7.87 | |
| SAP NetWeaver Application Server | =8.04 | |
| SAP NetWeaver Application Server | =krnl64nuc_7.22 | |
| SAP NetWeaver Application Server | =krnl64nuc_7.22ext | |
| SAP NetWeaver Application Server | =krnl64nuc_7.49 | |
| SAP NetWeaver Application Server | =krnl64uc_7.22 | |
| SAP NetWeaver Application Server | =krnl64uc_7.22ext | |
| SAP NetWeaver Application Server | =krnl64uc_7.49 | |
| SAP NetWeaver Application Server | =krnl64uc_7.53 | |
| SAP NetWeaver Application Server | =krnl64uc_8.04 | |
| SAP Web Dispatcher | =7.22ext | |
| SAP Web Dispatcher | =7.49 | |
| SAP Web Dispatcher | =7.53 | |
| SAP Web Dispatcher | =7.77 | |
| SAP Web Dispatcher | =7.81 | |
| SAP Web Dispatcher | =7.85 | |
| SAP Web Dispatcher | =7.86 | |
| SAP Web Dispatcher | =7.87 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-22536?
CVE-2022-22536 is a vulnerability in SAP Multiple Products that allows an unauthenticated attacker to prepend a victim's request with arbitrary data.
Which products are affected by CVE-2022-22536?
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher are affected by CVE-2022-22536.
How severe is CVE-2022-22536?
CVE-2022-22536 has a severity rating of critical.
How can an attacker exploit CVE-2022-22536?
An attacker can exploit CVE-2022-22536 by performing request smuggling and request concatenation.
Are there any available patches or mitigations for CVE-2022-22536?
Yes, SAP has released patches and mitigations for CVE-2022-22536. Please refer to the official SAP notes and documentation for more information.
- agent/type
- agent/title
- agent/weakness
- agent/description
- agent/first-publish-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/references
- agent/author
- agent/event
- agent/source
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- vendor/sap
- canonical/sap multiple products
- canonical/sap content server
- version/sap content server/7.53
- canonical/sap netweaver application server
- version/sap netweaver application server/7.22
- version/sap netweaver application server/7.49
- version/sap netweaver application server/7.53
- version/sap netweaver application server/7.77
- version/sap netweaver application server/7.81
- version/sap netweaver application server/7.85
- version/sap netweaver application server/7.86
- version/sap netweaver application server/7.87
- version/sap netweaver application server/8.04
- version/sap netweaver application server/krnl64nuc_7.22
- version/sap netweaver application server/krnl64nuc_7.22ext
- version/sap netweaver application server/krnl64nuc_7.49
- version/sap netweaver application server/krnl64uc_7.22
- version/sap netweaver application server/krnl64uc_7.22ext
- version/sap netweaver application server/krnl64uc_7.49
- version/sap netweaver application server/krnl64uc_7.53
- version/sap netweaver application server/krnl64uc_8.04
- canonical/sap web dispatcher
- version/sap web dispatcher/7.22ext
- version/sap web dispatcher/7.49
- version/sap web dispatcher/7.53
- version/sap web dispatcher/7.77
- version/sap web dispatcher/7.81
- version/sap web dispatcher/7.85
- version/sap web dispatcher/7.86
- version/sap web dispatcher/7.87