CVE-2022-22533 — Use After Free in SE SAP Netweaver Application Server Java

CWE-416 — Use After Free3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.8%

top 26.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Java SAP Netweaver Application Server Java

Timeline

PublishedFeb 9

Latest updateFeb 11

Description

Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_application_server_java7 versions+6

▶NVDsap/netweaver_application9 versions+8

🔴Vulnerability Details

GHSA

GHSA-qgqm-qrq8-vrcp: Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7↗2022-02-11

▶

CVEList

CVE-2022-22533: Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7↗2022-02-09

▶