Sign-up

ID

VAR-202202-1358


CVE

CVE-2022-22536


TITLE

SAP Multiple Product Environment Issues Vulnerabilities

Trust: 0.6

sources: CNNVD: CNNVD-202202-563

DESCRIPTION

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system

Trust: 0.99

sources: NVD: CVE-2022-22536 // VULMON: CVE-2022-22536

AFFECTED PRODUCTS

vendor:sapmodel:web dispatcherscope:eqversion:7.87

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_8.04

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.49

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_7.53

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.85

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.49

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.77

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.85

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64nuc_7.22ext

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:8.04

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.77

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_7.49

Trust: 1.0

vendor:sapmodel:content serverscope:eqversion:7.53

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.87

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.86

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.53

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.81

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.86

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:7.22

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.81

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_7.22

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64uc_7.22ext

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.53

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64nuc_7.22

Trust: 1.0

vendor:sapmodel:netweaver as abapscope:eqversion:krnl64nuc_7.49

Trust: 1.0

vendor:sapmodel:web dispatcherscope:eqversion:7.22ext

Trust: 1.0

sources: NVD: CVE-2022-22536

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-22536
value: CRITICAL

Trust: 1.0

CNNVD: CNNVD-202202-563
value: CRITICAL

Trust: 0.6

VULMON: CVE-2022-22536
value: HIGH

Trust: 0.1

NVD: CVE-2022-22536
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.1

NVD: CVE-2022-22536
baseSeverity: CRITICAL
baseScore: 10.0
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 6.0
version: 3.1

Trust: 1.0

sources: VULMON: CVE-2022-22536 // CNNVD: CNNVD-202202-563 // NVD: CVE-2022-22536

PROBLEMTYPE DATA

problemtype:CWE-444

Trust: 1.0

sources: NVD: CVE-2022-22536

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-563

TYPE

environmental issue

Trust: 0.6

sources: CNNVD: CNNVD-202202-563

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-22536

PATCH
title:SAP Remediation measures for multiple product environment issues and vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=181724
Trust: 0.6
title:onapsis_icmad_scannerurl:https://github.com/onapsis/onapsis_icmad_scanner 
Trust: 0.1
title:CVE-2022-22536url:https://github.com/antx-code/cve-2022-22536 
Trust: 0.1
title:SAP-memory-pipes-desynchronization-vulnerability-MPI-CVE-2022-22536url:https://github.com/asurti6783/sap-memory-pipes-desynchronization-vulnerability-mpi-cve-2022-22536 
Trust: 0.1
title: - url:https://github.com/pondoksiber/sap-pentest-cheatsheet 
Trust: 0.1
title:Threatposturl:https://threatpost.com/sap-patches-severe-icmad-bugs/178344/
Trust: 0.1
title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/cisa-warns-admins-to-patch-maximum-severity-sap-vulnerability/
Trust: 0.1
title:The Registerurl:https://www.theregister.co.uk/2022/02/09/microsoft_patch_tuesday/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2022-22536 // 
            
            
            
            CNNVD: CNNVD-202202-563

EXTERNAL IDS
db:NVDid:CVE-2022-22536
Trust: 1.7
db:CNNVDid:CNNVD-202202-563
Trust: 0.6
db:VULMONid:CVE-2022-22536
Trust: 0.1
sources:
            
            
            VULMON: CVE-2022-22536 // 
            
            
            
            CNNVD: CNNVD-202202-563 // 
            
            
            
            NVD: CVE-2022-22536

REFERENCES
url:https://launchpad.support.sap.com/#/notes/3123396
Trust: 1.7
url:https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Trust: 1.6
url:https://wiki.scn.sap.com/wiki/display/psr/sap+security+patch+day+-+february+2022
Trust: 0.7
url:https://vigilance.fr/vulnerability/sap-multiple-vulnerabilities-de-decembre-2021-37478
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/444.html
Trust: 0.1
url:https://github.com/onapsis/onapsis_icmad_scanner
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://threatpost.com/sap-patches-severe-icmad-bugs/178344/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2022-22536 // 
            
            
            
            CNNVD: CNNVD-202202-563 // 
            
            
            
            NVD: CVE-2022-22536

SOURCES
db:VULMONid:CVE-2022-22536
db:CNNVDid:CNNVD-202202-563
db:NVDid:CVE-2022-22536

LAST UPDATE DATE
2022-08-25T22:23:42.381000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2022-22536date:2022-02-11T00:00:00
db:CNNVDid:CNNVD-202202-563date:2022-08-25T00:00:00
db:NVDid:CVE-2022-22536date:2022-08-24T16:15:00

SOURCES RELEASE DATE
db:VULMONid:CVE-2022-22536date:2022-02-09T00:00:00
db:CNNVDid:CNNVD-202202-563date:2022-02-08T00:00:00
db:NVDid:CVE-2022-22536date:2022-02-09T23:15:00