CVE-2022-22536: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for…

critical10CVSS 3.1

AVNACLPRNUINSCCHIHAH

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2022-09-08

Exploited in the wild

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Affected

48 ranges· showing 25

Vendor	Product	Version range	Fixed in
sap	content_server	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	netweaver_application_server_abap	—	—
sap	web_dispatcher	—	—
sap	web_dispatcher	—	—
sap	web_dispatcher	—	—
sap	web_dispatcher	—	—
sap	web_dispatcher	—	—
sap	web_dispatcher	—	—
sap	web_dispatcher	—	—

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

vulncheck10.0CRITICAL

cisa10.0CRITICAL