SAP NetWeaver, SAP Content Server and SAP Web Dispatcher HTTP request smuggling | CVE-2022-22536
NAME
SAP NetWeaver, SAP Content Server and SAP Web Dispatcher HTTP request smuggling
- Platforms Affected:
SAP Web Dispatcher WEBDISP 7.53
SAP Web Dispatcher WEBDISP 7.73
SAP Web Dispatcher WEBDISP 7.77
SAP Web Dispatcher WEBDISP 7.81
SAP Web Dispatcher WEBDISP 7.82
SAP Web Dispatcher WEBDISP 7.83
SAP Web Dispatcher WEBDISP 7.85
SAP Web Dispatcher WEBDISP 7.86
SAP Web Dispatcher WEBDISP 7.87 - Risk Level:
10 - Exploitability:
Unproven - Consequences:
Gain Access
DESCRIPTION
SAP NetWeaver, SAP Content Server and SAP Web Dispatcher are vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding request header. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS 3.0 Information
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Access Vector: Network
- Access Complexity: Low
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Current SAP customers should refer to SAP note 3123396 for patch information, available from the SAP Web site (login required). See References.
- Reference Link:
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022 - Reference Link:
https://launchpad.support.sap.com/
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.
