#VU78958 Inconsistent interpretation of HTTP requests in SAP products - CVE-2022-22536
Published: August 4, 2023 / Updated: April 4, 2025
Vulnerability identifier: #VU78958
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2022-22536
CWE-ID: CWE-444
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
SAP NetWeaver AS ABAP
SAP NetWeaver AS JAVA
SAP Content Server
SAP Web Dispatcher WEBDISP
SAP NetWeaver AS ABAP
SAP NetWeaver AS JAVA
SAP Content Server
SAP Web Dispatcher WEBDISP
Software vendor:
SAP
SAP
Description
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can prepend a victim's request with arbitrary data and execute functions impersonating the victim or poison intermediary Web caches.
Successful exploitation of the vulnerability can result in full system compromise.
Remediation
Install updates from vendor's website.