#VU75156 Inconsistent interpretation of HTTP requests in SAP products - CVE-2021-33683
Published: April 17, 2023
Vulnerability identifier: #VU75156
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-33683
CWE-ID: CWE-444
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
SAP Web Dispatcher Kernel
SAP Web Dispatcher WEBDISP
Internet Communication Manager (ICM) KRNL32UC
Internet Communication Manager (ICM) KRNL64UC
Internet Communication Manager (ICM) KRNL64NUC
Internet Communication Manager (ICM) KRNL32NUC
SAP Web Dispatcher Kernel
SAP Web Dispatcher WEBDISP
Internet Communication Manager (ICM) KRNL32UC
Internet Communication Manager (ICM) KRNL64UC
Internet Communication Manager (ICM) KRNL64NUC
Internet Communication Manager (ICM) KRNL32NUC
Software vendor:
SAP
SAP
Description
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
Remediation
Install updates from vendor's website.