← Back

CVE-2022-22536

nvd nistnuclei
Published: Feb 9, 2022Modified: Feb 25, 2026CISA KEV

JSON object

Loading...
10.0
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 6.0
Source: NVD

Description

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Affected (26)

Sap
3 products
Content Server
Netweaver Application Server Abap
Web Dispatcher
Configuration A
26 vulnerable
Vulnerable SoftwareAffected Versions
Content Server
Version 7.53
Sap
Netweaver Application Server Abap
Version 7.22
Netweaver Application Server Abap
Version 7.49
Netweaver Application Server Abap
Version 7.53
Netweaver Application Server Abap
Version 7.77
Netweaver Application Server Abap
Version 7.81
Netweaver Application Server Abap
Version 7.85
Netweaver Application Server Abap
Version 7.86
Netweaver Application Server Abap
Version 7.87
Netweaver Application Server Abap
Version 8.04
Netweaver Application Server Abap
Version krnl64nuc_7.22
Netweaver Application Server Abap
Version krnl64nuc_7.22ext
Netweaver Application Server Abap
Version krnl64nuc_7.49
Netweaver Application Server Abap
Version krnl64uc_7.22
Netweaver Application Server Abap
Version krnl64uc_7.22ext
Netweaver Application Server Abap
Version krnl64uc_7.49
Netweaver Application Server Abap
Version krnl64uc_7.53
Netweaver Application Server Abap
Version krnl64uc_8.04
Sap
Web Dispatcher
Version 7.22ext
Web Dispatcher
Version 7.49
Web Dispatcher
Version 7.53
Web Dispatcher
Version 7.77
Web Dispatcher
Version 7.81
Web Dispatcher
Version 7.85
Web Dispatcher
Version 7.86
Web Dispatcher
Version 7.87

Related CWEs

CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References (5)

Source: cna@sap.com
Permissions Required
Source: cna@sap.com
Broken LinkNot ApplicableVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions Required
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkNot ApplicableVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

Timeline

No history available yet.