CVE-2022-22536
Published: 09 February 2022
Summary
CVE-2022-22536 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Sap Netweaver Application Server Abap. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher are affected by a request smuggling and request concatenation vulnerability tracked as CVE-2022-22536. The flaw, assigned CWE-444, permits an unauthenticated remote attacker to prepend arbitrary data to a victim's HTTP request, which can be used to manipulate how the server processes subsequent requests.
An attacker can exploit the issue over the network without authentication or user interaction to impersonate the victim and invoke functions on their behalf or to poison intermediary web caches. Successful exploitation yields complete loss of confidentiality, integrity, and availability, reflected in the CVSS 3.1 base score of 10.0.
SAP has published remediation details in security note 3123396 and the associated February 2022 security patch release, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity. The associated EPSS score has remained at a persistently high level, with a current value of 0.9383 and a recorded peak of 0.9683.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27682
Vulnerability details
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This…
more
way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
- CWE(s)
- KEV Date Added
- 18 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of HTTP request syntax and headers to block smuggling/concatenation attempts that prepend attacker data.
Enforces boundary-level inspection and filtering of HTTP traffic at SAP Web Dispatcher and AS components to stop request smuggling before it reaches backend servers.
Controls information flow between clients and SAP services, limiting the ability of malformed concatenated requests to impersonate users or poison caches.