Skip to main content
All vulnerabilities
CVE-2022-22536

SAP Multiple Products HTTP Request Smuggling Vulnerability

SAPMultiple Products

Added to KEV catalog
18 August 2022
Federal remediation due date
8 September 2022
Weakness classification (CWE)
CWE-444

CISA Description

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.

Required action

Apply updates per vendor instructions.

Notes

SAP users must have an account in order to login and access the patch. https://accounts.sap.com/saml2/idp/sso; https://nvd.nist.gov/vuln/detail/CVE-2022-22536

Confirm Your Exposure

Is this vulnerability present in your environment?

CRS delivers independent VAPT assessments that identify exactly which known-exploited vulnerabilities exist in your network, applications, and infrastructure.

Explore VAPT Services