cve-2022-22536
Vulnerability from cvelistv5
Published
2022-02-09 22:05
Modified
2024-08-03 03:14
Severity ?
EPSS score ?
Summary
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/3123396 | Permissions Required | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Not Applicable, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/3123396 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Not Applicable, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | SAP SE | SAP NetWeaver and ABAP Platform |
Version: KERNEL 7.22 Version: 8.04 Version: 7.49 Version: 7.53 Version: 7.77 Version: 7.81 Version: 7.85 Version: 7.86 Version: 7.87 Version: KRNL64UC 8.04 Version: 7.22 Version: 7.22EXT Version: KRNL64NUC 7.22 |
||||||||
|
|||||||||||
CISA Known exploited vulnerability
Data from the Known Exploited Vulnerabilities Catalog
Date added: 2022-08-18
Due date: 2022-09-08
Required action: Apply updates per vendor instructions.
Used in ransomware: Unknown
Notes: SAP users must have an account in order to login and access the patch. https://accounts.sap.com/saml2/idp/sso; https://nvd.nist.gov/vuln/detail/CVE-2022-22536
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:14:55.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/3123396"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver and ABAP Platform",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "KERNEL 7.22"
},
{
"status": "affected",
"version": "8.04"
},
{
"status": "affected",
"version": "7.49"
},
{
"status": "affected",
"version": "7.53"
},
{
"status": "affected",
"version": "7.77"
},
{
"status": "affected",
"version": "7.81"
},
{
"status": "affected",
"version": "7.85"
},
{
"status": "affected",
"version": "7.86"
},
{
"status": "affected",
"version": "7.87"
},
{
"status": "affected",
"version": "KRNL64UC 8.04"
},
{
"status": "affected",
"version": "7.22"
},
{
"status": "affected",
"version": "7.22EXT"
},
{
"status": "affected",
"version": "KRNL64NUC 7.22"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SAP Web Dispatcher",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "7.49"
},
{
"status": "affected",
"version": "7.53"
},
{
"status": "affected",
"version": "7.77"
},
{
"status": "affected",
"version": "7.81"
},
{
"status": "affected",
"version": "7.85"
},
{
"status": "affected",
"version": "7.22EXT"
},
{
"status": "affected",
"version": "7.86"
},
{
"status": "affected",
"version": "7.87"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SAP Content Server",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "7.53"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim\u0027s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim\u0027s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-26T03:11:25.429Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/3123396"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2022-22536",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP NetWeaver and ABAP Platform",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "KERNEL 7.22"
},
{
"version_affected": "=",
"version_value": "8.04"
},
{
"version_affected": "=",
"version_value": "7.49"
},
{
"version_affected": "=",
"version_value": "7.53"
},
{
"version_affected": "=",
"version_value": "7.77"
},
{
"version_affected": "=",
"version_value": "7.81"
},
{
"version_affected": "=",
"version_value": "7.85"
},
{
"version_affected": "=",
"version_value": "7.86"
},
{
"version_affected": "=",
"version_value": "7.87"
},
{
"version_affected": "=",
"version_value": "KRNL64UC 8.04"
},
{
"version_affected": "=",
"version_value": "7.22"
},
{
"version_affected": "=",
"version_value": "7.22EXT"
},
{
"version_affected": "=",
"version_value": "7.49"
},
{
"version_affected": "=",
"version_value": "7.53"
},
{
"version_affected": "=",
"version_value": "KRNL64NUC 7.22"
},
{
"version_affected": "=",
"version_value": "7.22EXT"
},
{
"version_affected": "=",
"version_value": "7.49"
}
]
}
},
{
"product_name": "SAP Web Dispatcher",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7.49"
},
{
"version_affected": "=",
"version_value": "7.53"
},
{
"version_affected": "=",
"version_value": "7.77"
},
{
"version_affected": "=",
"version_value": "7.81"
},
{
"version_affected": "=",
"version_value": "7.85"
},
{
"version_affected": "=",
"version_value": "7.22EXT"
},
{
"version_affected": "=",
"version_value": "7.86"
},
{
"version_affected": "=",
"version_value": "7.87"
}
]
}
},
{
"product_name": "SAP Content Server",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7.53"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim\u0027s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system."
}
]
},
"impact": {
"cvss": {
"baseScore": "null",
"vectorString": "null",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-444"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.support.sap.com/#/notes/3123396",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/3123396"
},
{
"name": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
"refsource": "MISC",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2022-22536",
"datePublished": "2022-02-09T22:05:24",
"dateReserved": "2022-01-04T00:00:00",
"dateUpdated": "2024-08-03T03:14:55.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2022-22536",
"cwes": "[\"CWE-444\"]",
"dateAdded": "2022-08-18",
"dueDate": "2022-09-08",
"knownRansomwareCampaignUse": "Unknown",
"notes": "SAP users must have an account in order to login and access the patch. https://accounts.sap.com/saml2/idp/sso; https://nvd.nist.gov/vuln/detail/CVE-2022-22536",
"product": "Multiple Products",
"requiredAction": "Apply updates per vendor instructions.",
"shortDescription": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim\u0027s request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.",
"vendorProject": "SAP",
"vulnerabilityName": "SAP Multiple Products HTTP Request Smuggling Vulnerability"
},
"fkie_nvd": {
"cisaActionDue": "2022-09-08",
"cisaExploitAdd": "2022-08-18",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "SAP Multiple Products HTTP Request Smuggling Vulnerability",
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A02FB973-7FA0-4881-B912-27F4CFBDC673\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"16B3C589-DF11-459D-8A3F-1A1FD2265022\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9FBC5614-7C3F-4AD8-8640-0499B8B03C64\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E8CB869-C342-4362-9A4A-298F0B5F4003\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"89E7439E-F4D6-45EA-99FC-C9B34D4D590E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"252DCEF2-8DDF-467F-8869-B69A0A3426F8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9BC578BE-2308-491E-9D56-6B45AFF0FCFA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.86:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7C0E10A3-591A-4FA7-9B98-D54C3D6C63FA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:7.87:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"150B6370-F18A-4657-95ED-D969BF7C39CE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:8.04:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"12974FFA-3168-4A80-ACFB-D5E065A89383\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C2D5BECF-C4BA-44C7-9AD7-56865DD9AD60\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AB7E91DE-A52F-4E57-8397-7670E30C8B5C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.49:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AB478A3C-4DD5-4F42-B2F1-9B7CCBA1B995\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"23257C18-B75C-471C-9EAF-1E86DEE845FA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A01290A1-3C1B-4AF7-9284-C164BDEC85A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.49:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6D5F8B53-ECAD-4CD2-8F91-25112569C056\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ADE160BD-659F-4517-B625-61CFB2FBD456\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_8.04:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"88CD861F-08FB-4CE1-923C-79D1480A2259\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D3F76E6A-2F27-450C-AAB5-E49A64079CAC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:web_dispatcher:7.49:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0B4A7850-377C-4463-A5D7-07F516FBD74A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"47D4D542-2EC2-490B-B4E9-3E7BB8D59B77\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E33D9481-3CF6-4AA3-B115-7903AC6DAE25\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:web_dispatcher:7.81:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"49FF2A5B-E5F0-4991-9AA3-7CB3B8C62941\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F74EE4D5-E968-4851-89E6-4152F64930F2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:web_dispatcher:7.86:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"327A87AD-6635-4511-8505-F4418CD9D49C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:web_dispatcher:7.87:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"324C32FF-6F89-401F-9ADD-57A68320E06D\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim\u0027s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 y SAP Web Dispatcher son vulnerables para el contrabando de peticiones y la concatenaci\\u00f3n de peticiones. Un atacante no autenticado puede a\\u00f1adir datos arbitrarios a la petici\\u00f3n de la v\\u00edctima. De este modo, el atacante puede ejecutar funciones suplantando a la v\\u00edctima o envenenar las cach\\u00e9s web intermediarias. Un ataque con \\u00e9xito podr\\u00eda resultar en el compromiso completo de la Confidencialidad, Integridad y Disponibilidad del sistema\"}]",
"id": "CVE-2022-22536",
"lastModified": "2024-11-21T06:46:58.783",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 10.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 6.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 10.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2022-02-09T23:15:18.620",
"references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/3123396\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"cna@sap.com\", \"tags\": [\"Not Applicable\", \"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/3123396\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Not Applicable\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-444\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-22536\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2022-02-09T23:15:18.620\",\"lastModified\":\"2024-11-21T06:46:58.783\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim\u0027s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\\n\\n\"},{\"lang\":\"es\",\"value\":\"SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 y SAP Web Dispatcher son vulnerables para el contrabando de peticiones y la concatenaci\u00f3n de peticiones. Un atacante no autenticado puede a\u00f1adir datos arbitrarios a la petici\u00f3n de la v\u00edctima. De este modo, el atacante puede ejecutar funciones suplantando a la v\u00edctima o envenenar las cach\u00e9s web intermediarias. Un ataque con \u00e9xito podr\u00eda resultar en el compromiso completo de la Confidencialidad, Integridad y Disponibilidad del sistema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-08-18\",\"cisaActionDue\":\"2022-09-08\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"SAP Multiple Products HTTP Request Smuggling Vulnerability\",\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A02FB973-7FA0-4881-B912-27F4CFBDC673\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16B3C589-DF11-459D-8A3F-1A1FD2265022\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9FBC5614-7C3F-4AD8-8640-0499B8B03C64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E8CB869-C342-4362-9A4A-298F0B5F4003\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"89E7439E-F4D6-45EA-99FC-C9B34D4D590E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"252DCEF2-8DDF-467F-8869-B69A0A3426F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BC578BE-2308-491E-9D56-6B45AFF0FCFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.86:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C0E10A3-591A-4FA7-9B98-D54C3D6C63FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:7.87:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"150B6370-F18A-4657-95ED-D969BF7C39CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:8.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"12974FFA-3168-4A80-ACFB-D5E065A89383\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2D5BECF-C4BA-44C7-9AD7-56865DD9AD60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB7E91DE-A52F-4E57-8397-7670E30C8B5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.49:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB478A3C-4DD5-4F42-B2F1-9B7CCBA1B995\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"23257C18-B75C-471C-9EAF-1E86DEE845FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A01290A1-3C1B-4AF7-9284-C164BDEC85A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.49:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D5F8B53-ECAD-4CD2-8F91-25112569C056\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADE160BD-659F-4517-B625-61CFB2FBD456\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_8.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"88CD861F-08FB-4CE1-923C-79D1480A2259\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3F76E6A-2F27-450C-AAB5-E49A64079CAC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:web_dispatcher:7.49:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B4A7850-377C-4463-A5D7-07F516FBD74A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"47D4D542-2EC2-490B-B4E9-3E7BB8D59B77\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E33D9481-3CF6-4AA3-B115-7903AC6DAE25\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:web_dispatcher:7.81:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"49FF2A5B-E5F0-4991-9AA3-7CB3B8C62941\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F74EE4D5-E968-4851-89E6-4152F64930F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:web_dispatcher:7.86:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"327A87AD-6635-4511-8505-F4418CD9D49C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:web_dispatcher:7.87:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"324C32FF-6F89-401F-9ADD-57A68320E06D\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/3123396\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"cna@sap.com\",\"tags\":[\"Not Applicable\",\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/3123396\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\",\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.