CVE-2022-22532

CWE-444 — HTTP Request Smuggling CWE-3903 documents3 sources

Severity

9.8CRITICAL

EPSS

2.1%

top 16.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Java SAP Netweaver Application Server Java

Timeline

PublishedFeb 9

Latest updateFeb 11

Description

In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_application_server_java7 versions+6

▶NVDsap/netweaver_application9 versions+8

🔴Vulnerability Details

GHSA

GHSA-vvr6-23f2-vp62: In SAP NetWeaver Application Server Java - versions KRNL64NUC 7↗2022-02-11

▶

CVEList

CVE-2022-22532: In SAP NetWeaver Application Server Java - versions KRNL64NUC 7↗2022-02-09

▶