SAP Multiple Products HTTP Request Smuggling Vulnerability

Added Aug. 18, 2022 • Due Sept. 8, 2022 • CVE-2022-22536

Overdue SAP / Multiple Products CWE-444

Description

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.

Required Action

Apply updates per vendor instructions.

References

SAP users must have an account in order to login and access the patch. https://accounts.sap.com/saml2/idp/sso
https://nvd.nist.gov/vuln/detail/CVE-2022-22536

Additional Information

Catalog Version: 2025.01.24
Catalog Released: Jan. 24, 2025
Days Until Due: 0 days
Last Updated: 4 months, 4 weeks ago