#VU78958 Inconsistent interpretation of HTTP requests in SAP products - CVE-2022-22536

Cybersecurity Help s.r.o.

Published: 2023-08-04 | Updated: 2025-04-04

Vulnerability identifier: #VU78958

Vulnerability risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2022-22536

CWE-ID: CWE-444

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
SAP NetWeaver AS ABAP
Server applications / Application servers
SAP NetWeaver AS JAVA
Server applications / Application servers
SAP Content Server
Web applications / CMS
SAP Web Dispatcher WEBDISP
Server applications / Other server solutions

Vendor: SAP

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can prepend a victim's request with arbitrary data and execute functions impersonating the victim or poison intermediary Web caches.

Successful exploitation of the vulnerability can result in full system compromise.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP NetWeaver AS ABAP: 753

SAP NetWeaver AS JAVA: 7.53

SAP Content Server: 7.53

SAP Web Dispatcher WEBDISP: 7.53

External links
https://launchpad.support.sap.com/#/notes/3123396
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

HTTP request smuggling in SAP NetWeaver