Inconsistent interpretation of HTTP requests in SAP products - CVE-2021-33683
Published: April 17, 2023
Vulnerability identifier: #VU75156
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-33683
CWE-ID: CWE-444
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SAP
Affected software:
SAP Web Dispatcher Kernel
SAP Web Dispatcher WEBDISP
Internet Communication Manager (ICM) KRNL32UC
Internet Communication Manager (ICM) KRNL64UC
Internet Communication Manager (ICM) KRNL64NUC
Internet Communication Manager (ICM) KRNL32NUC
SAP Web Dispatcher Kernel
SAP Web Dispatcher WEBDISP
Internet Communication Manager (ICM) KRNL32UC
Internet Communication Manager (ICM) KRNL64UC
Internet Communication Manager (ICM) KRNL64NUC
Internet Communication Manager (ICM) KRNL32NUC
Detailed vulnerability description
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
How to mitigate CVE-2021-33683
Install updates from vendor's website.