Inconsistent interpretation of HTTP requests in SAP products - CVE-2022-22536
Published: August 4, 2023 / Updated: April 4, 2025
Vulnerability identifier: #VU78958
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2022-22536
CWE-ID: CWE-444
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: SAP
Affected software:
SAP NetWeaver AS ABAP
SAP NetWeaver AS JAVA
SAP Content Server
SAP Web Dispatcher WEBDISP
SAP NetWeaver AS ABAP
SAP NetWeaver AS JAVA
SAP Content Server
SAP Web Dispatcher WEBDISP
Detailed vulnerability description
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can prepend a victim's request with arbitrary data and execute functions impersonating the victim or poison intermediary Web caches.
Successful exploitation of the vulnerability can result in full system compromise.
How to mitigate CVE-2022-22536
Install updates from vendor's website.