SAP NetWeaver Application Server Java HTTP Request Smuggling | CVE-2022-22532
NAME
SAP NetWeaver Application Server Java HTTP Request Smuggling
- Platforms Affected:
SAP NetWeaver Application Server Java KRNL64NUC 7.22
SAP NetWeaver Application Server Java KRNL64NUC 7.22EXT
SAP NetWeaver Application Server Java KRNL64NUC 7.49
SAP NetWeaver Application Server Java KRNL64UC 7.22
SAP NetWeaver Application Server Java KRNL64UC 7.22EXT
SAP NetWeaver Application Server Java KRNL64UC 7.49
SAP NetWeaver Application Server Java KRNL64UC 7.53
SAP NetWeaver Application Server Java KERNEL 7.22
SAP NetWeaver Application Server Java KERNEL 7.49
SAP NetWeaver Application Server Java KERNEL 7.53 - Risk Level:
8.1 - Exploitability:
Unproven - Consequences:
Gain Access
DESCRIPTION
SAP NetWeaver Application Server Java is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding request header. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS 3.0 Information
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Access Vector: Network
- Access Complexity: High
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Current SAP customers should refer to SAP note 3123427 for patch information, available from the SAP Web site (login required). See References.
- Reference Link:
https://launchpad.support.sap.com/ - Reference Link:
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.