Issued: Thursday, 25 August, 2022 |
Last Revision: Thursday, 25 August, 2022 |
Vendor: |
|
Severity Level: |
SAP has released patch to address the ‘request smuggling and request concatenation vulnerability’ in its multiple products.
Any arbitrary data can be prepended to a victim's request by an unauthenticated attacker. By doing this, the attacker can run scripts pretending to be the victim or compromise intermediary web caches.
A successful attack could result in a total breach of the system's availability, confidentiality, and integrity.
CISA and other researcher has confirmed exploitation this vulnerability in wild.
CVE/Vulnerability | Description | CVSS3.0 Score |
CVE-2022-22536 | Request Smuggling and Request Concatenation | 10 |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Product(s) | Affected Version(s) |
CVE-2022-22536 | SAP NetWeaver Application Server ABAP SAP NetWeaver Application Server Java ABAP Platform SAP Content Server 7.53 SAP Web Dispatcher | 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 8.04 |
Table 2: Vulnerable versions
Organizations are encouraged to apply the updates on the affected products as per Vendor instructions.